On Thu, Jan 28, 2021 at 09:48:13PM +0000, Chu, Uy wrote:
> smtp_tls_CAfile = /etc/postfix/ca.crt
> smtp_tls_ciphers = high
> smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, RC4, aNULL
> smtp_tls_loglevel = 2
Not sure why you want to disable aNULL, or set the log level > 1.
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtp_tls_protocols = !SSLv2,!SSLv3
There are default values, no need to set them explicitly.
> smtp_tls_security_level = may
> smtp_use_tls = yes
The "smtp_use_tls" settings is obsolete and redundant. You don't have
any SMTP TLS policy table, so there's no need for "smtp_tls_CAfile", you
don't verify any certificates.
> smtpd_tls_CAfile = /etc/postfix/ca.crt
You don't need a CAfile here either, since you don't solicit client
certs. The subject DNs of certs in the CAfile end up in the server
handshake packets, and if there are too many can cause problems.
> smtpd_tls_key_file = /etc/postfix/smtpout_slac_stanford_edu.key
> smtpd_tls_cert_file = /etc/postfix/smtpout_slac_stanford_edu.crt
Make sure this includes any requisite intermediate CA certs.
> smtpd_tls_ciphers = high
> smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, RC4, aNULL
With these set, you should not also customise "tls_high_cipherlist" or
"tls_medium_cipherlist".
> smtpd_tls_loglevel = 2
Likely too verbose.
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Typically not needed, Postfix 2.10 and up support session tickets
instead.
> smtpd_use_tls = yes
Instead use "smtpd_tls_security_level = may"
> tls_high_cipherlist =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
> tls_medium_cipherlist =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Drop these overrides.
--
Viktor.
