On Thu, 23 Nov 2017, Jonathan Sélea wrote:
I did struggle alot to understand and deploy a secure cipher list that
https://hardenize.com and https://ssl-tool.net would not complain on, so I
came up with this:
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA, CAMELLIA,
SEED, 3DES, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256,
AES256-SHA256, AES256-SHA, AES128-SHA
smtpd_tls_eecdh_grade=ultra
tls_preempt_cipherlist = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
My question is, can I improve this futher or do you guys/girls have any
opinion regarding this?
I am grateful for all comments, tips or other suggestions :)
Nothing gets older faster that cipher specifications. Usually it is the
best to use a recent version of the SSL libraries and don't change the
specs. The defaults incorporate the most recent developments.
If SSLv2, SSLv3 and RC4 are still supported by default on your system
instead of tuning the specs an update of the software is recommended.
P.S. You always need to keep in mind that you will fallback to plaintext,
so a bad cipher is (usually) better than none.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
