Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
postfix [2018/10/28 21:01] steve [Virtual Domains and Aliases] |
postfix [2018/10/30 16:56] steve [Security] |
||
|---|---|---|---|
| Line 75: | Line 75: | ||
| If creating a new ''/var/log/maillog'' you will need to restart your system logger **in addition** to postfix for it to populate. | If creating a new ''/var/log/maillog'' you will need to restart your system logger **in addition** to postfix for it to populate. | ||
| + | |||
| + | ==== Security ==== | ||
| + | |||
| + | Enable Postfix to use TLS if possible. Clients and servers that connect may use it. In ''main.cf'': | ||
| + | |||
| + | <code> | ||
| + | smtp_tls_security_level = may | ||
| + | smtpd_tls_security_level = may | ||
| + | </code> | ||
| + | |||
| + | If you have your own certs, enable those as well. In this case, the ''server.pem'' is the combination of the CRT PEM and the CA bundle PEM. Be sure to set the key to read-only for the root user as well. | ||
| + | |||
| + | <code> | ||
| + | cat beandog.crt.pem ca_bundle.pem > server.pem | ||
| + | </code> | ||
| + | |||
| + | <code> | ||
| + | smtpd_tls_cert_file = /etc/postfix/server.pem | ||
| + | smtpd_tls_key_file = /etc/postfix/server.key | ||
| + | </code> | ||
| + | |||
| + | Postfix can define which protocols and ciphers to ignore, and set the preferred order as well. Here, ignore TLSv1 and use stronger ciphers. | ||
| + | |||
| + | Also, if you are using OpenSSL 1.1.1 or higher, you can add TLSv1.3 to the list. | ||
| + | |||
| + | <code> | ||
| + | smtp_tls_ciphers = high | ||
| + | smtp_tls_mandatory_ciphers = high | ||
| + | smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | |||
| + | smtpd_tls_ciphers = high | ||
| + | smtpd_tls_mandatory_ciphers = high | ||
| + | smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1 | ||
| + | </code> | ||
| + | |||
| + | Specific ciphers can be disabled as well. For a list of all ciphers that are available, use ''openssl'': | ||
| + | |||
| + | <code> | ||
| + | openssl ciphers | ||
| + | </code> | ||
| + | |||
| + | To make it easier to read, one per line: | ||
| + | |||
| + | <code> | ||
| + | openssl ciphers | tr ':' '\n' | ||
| + | </code> | ||
| + | |||
| + | You can find the ciphers or cipher family you'd like to drop by specifying the cipher list. For example:: | ||
| + | |||
| + | <code> | ||
| + | openssl ciphers MD5:aNULL | ||
| + | </code> | ||
| + | |||
| + | And then disable those in ''main.cf'': | ||
| + | |||
| + | <code> | ||
| + | smtp_tls_exclude_ciphers = MD5, aNULL | ||
| + | smtp_tls_mandatory_exclude_ciphers = MD5, aNULL | ||
| + | |||
| + | smtpd_tls_exclude_ciphers = MD5, aNULL | ||
| + | smtpd_tls_mandatory_exclude_ciphers = MD5, aNULL | ||
| + | </code> | ||
| ==== Virtual Domains and Aliases ==== | ==== Virtual Domains and Aliases ==== | ||
