From 7ca42489ae0320927773145420d7f7923e4fd454 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 5 May 2015 23:50:07 +0000 Subject: [PATCH] drop legacy, export-grade, and anonymous ciphers from SMTP (port 25, opportunistic) Even though SMTP (on port 25) is typically opportunistic and a MitM attack can't be prevented, we may as well only offer ciphers that provide some level of security. If a client is so old or misconfigured that it doesn't support newer ciphers, it should hopefully fall back to a non-TLS connection. Postfix's default was basically anything goes (anonymous and 40-bit ciphers!). Google's MTA's only offer ciphers at 112 bits at greater, and this change approximates that with Postfix's "medium" setting. Fixes #371 --- setup/mail-postfix.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index ce44f943..a9e335a9 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -94,6 +94,8 @@ tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \ smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \ smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \ + smtpd_tls_ciphers=medium \ + smtpd_tls_exclude_ciphers=aNULL \ smtpd_tls_received_header=yes # Prevent non-authenticated users from sending mail that requires being