drop legacy, export-grade, and anonymous ciphers from SMTP (port 25, opportunistic)

Even though SMTP (on port 25) is typically opportunistic and a MitM attack can't be prevented, we may as well only offer ciphers that provide some level of security. If a client is so old or misconfigured that it doesn't support newer ciphers, it should hopefully fall back to a non-TLS connection. Postfix's default was basically anything goes (anonymous and 40-bit ciphers!). Google's MTA's only offer ciphers at 112 bits at greater, and this change approximates that with Postfix's "medium" setting. Fixes #371
2024-11-22 02:17:26 +00:00 · 2015-05-05 23:50:07 +00:00 · 2015-05-05 23:50:07 +00:00 · 7ca42489ae
commit 7ca42489ae
parent 8c6363f792
1 changed files with 2 additions and 0 deletions
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -94,6 +94,8 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
+	smtpd_tls_ciphers=medium \
+	smtpd_tls_exclude_ciphers=aNULL \
 	smtpd_tls_received_header=yes

 # Prevent non-authenticated users from sending mail that requires being