From 0179c790c40eecb7e1fdfe9adbe74bf194c848da Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sat, 29 Mar 2025 17:05:25 +0100 Subject: [PATCH] update tls settings --- setup/mail-postfix.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 6678fd70..67e11088 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -144,7 +144,7 @@ tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_protocols=">=TLSv1" \ smtpd_tls_ciphers=medium \ tls_medium_cipherlist="@SECLEVEL=0:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" \ - smtpd_tls_exclude_ciphers="aNULL CAMELLIA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA" \ + smtpd_tls_exclude_ciphers="aNULL RC4" \ tls_preempt_cipherlist=yes \ smtpd_tls_received_header=yes @@ -155,7 +155,7 @@ tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_mandatory_protocols=">=TLSv1.2" \ smtpd_tls_mandatory_ciphers=high \ tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \ - smtpd_tls_mandatory_exclude_ciphers="aNULL CAMELLIA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA" + smtpd_tls_mandatory_exclude_ciphers="aNULL DES 3DES MD5 DES+MD5 RC4 CAMELLIA" # Prevent non-authenticated users from sending mail that requires being # relayed elsewhere. We don't want to be an "open relay". On outbound