From b039a40bf9c7242a65906db7b734d6cc0c3f248b Mon Sep 17 00:00:00 2001 From: Matthew R Date: Sat, 5 Jun 2021 17:43:04 -0400 Subject: [PATCH] TLS parameters for Postfix --- Postfix/main.conf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Postfix/main.conf b/Postfix/main.conf index 0520643..c730172 100644 --- a/Postfix/main.conf +++ b/Postfix/main.conf @@ -33,16 +33,22 @@ broken_sasl_auth_clients = yes smtpd_tls_cert_file=/etc/postfix/ssl/globalsign.crt smtpd_tls_key_file=/etc/postfix/ssl/globalsign.key.pem smtpd_use_tls=yes +smtpd_tls_auth_only = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -smtp_tls_security_level = may +smtp_tls_security_level = encrypt smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/globalsign.ca.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +smtpd_tls_mandatory_ciphers = medium tls_random_source = dev:/dev/urandom +tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +tls_preempt_cipherlist = no # RESTRICTIONS