strengthen the cyphers and protocols allowed by Dovecot and Postfix submission

This commit is contained in:
Joshua Tauberer 2014-06-22 19:03:11 +00:00
parent 343886d818
commit 45e93f7dcc
1 changed files with 11 additions and 7 deletions

View File

@ -34,15 +34,17 @@ tools/editconf.py /etc/postfix/main.cf \
smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://github.com/joshdata/mailinabox)" \ smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://github.com/joshdata/mailinabox)" \
mydestination=localhost mydestination=localhost
# Enable the 'submission' port 587 smtpd server, and give it a different # Enable the 'submission' port 587 smtpd server and tweak its settings.
# name in syslog to distinguish it from the port 25 smtpd server. # a) Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
# # but without affecting opportunistic TLS on incoming mail, which will allow any cipher (it's better than none).
# Add a new cleanup service specific to the submission service ('authclean') # b) Give it a different name in syslog to distinguish it from the port 25 smtpd server.
# c) Add a new cleanup service specific to the submission service ('authclean')
# that filters out privacy-sensitive headers on mail being sent out by # that filters out privacy-sensitive headers on mail being sent out by
# authenticated users. # authenticated users.
tools/editconf.py /etc/postfix/master.cf -s -w \ tools/editconf.py /etc/postfix/master.cf -s -w \
"submission=inet n - - - - smtpd "submission=inet n - - - - smtpd
-o syslog_name=postfix/submission -o syslog_name=postfix/submission
-o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3
-o cleanup_service_name=authclean" \ -o cleanup_service_name=authclean" \
"authclean=unix n - - - 0 cleanup "authclean=unix n - - - 0 cleanup
-o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters" -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters"
@ -237,11 +239,13 @@ tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \
# Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root. # Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root.
# Enable SSL and specify the location of the SSL certificate and private key files. # Enable SSL, specify the location of the SSL certificate and private key files,
# and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
ssl=required \ ssl=required \
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
"ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH"
# PERMISSIONS / RESTART SERVICES # PERMISSIONS / RESTART SERVICES