> On May 5, 2017, at 7:07 AM, Zalezny Niezalezny <zalezny.niezale...@gmail.com> > wrote: > > I have a security question. My Postfix 2.10.1
Postfix 3.2, 3.1, 3.0 and 2.11 are all available. http://cdn.postfix.johnriley.me/mirrors/postfix-release/index.html while Postfix 2.10 is no longer supported. If you want to keep up with best practice, upgrade. > Server TLS configuration looks like this at the moment. > > #TLS Server configuration > smtpd_tls_security_level = may > smtpd_tls_cert_file = /etc/postfix/ssl/2017.cer > smtpd_tls_key_file = /etc/postfix/ssl/2017.key You should have, if not already default values with your 2.10.1 (with some vendor patch backports?) Postfix release: smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = medium smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = medium smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_ciphers = medium Some people add: smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 to trim obsolete baggage from the list of ciphers offered by the SMTP client to remote servers. This can actually improve interoperability in some edge cases, and should not cause any loss of ability to negotiate TLS with remote systems. That said, this is not required. You can, if you wish, include RC4 in that list, but it is not as bad as it is made out to be, and would only be negotiated when nothing else better is available, almost all systems prefer AES these days, when available. > One time per month some external company doing security scan on all Postfix > instances. Last time there was a big discussion about anonymous Ciphers. > > Do I need to disable them ? No. See https://tools.ietf.org/html/rfc7672#section-8.2 > What else should I configured for public server? Not much. TLS in SMTP is opportunistic and unauthenticated in the vast majority of cases. Therefore, liberal settings, considered "insecure" in some quarters are entirely appropriate. > Maybe somebody will be so kind and paste here some perfect, working TLS > configuration for public server? There's no such thing as "perfect", but speaking of "perfect" see http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start with Postfix >= 3.2 leave "smtpd_tls_eecdh_grade = auto" in place, that's better than choosing a fixed "curve" (Diffie Hellman group of the "elliptic curve" kind). Also make sure your OpenSSL runtime is up to date. OpenSSL 1.0.1 and earlier are no longer supported, so use a system with 1.0.2 or 1.1.0 patched up to date. -- Viktor.
