Feature #611

Updated by Daniel Curtis over 5 years ago

This is a guide for setting up forward secrecy with Postfix and Dovecot mail services.

h2. Prepare the Environment

* Make sure the system is up to date:
apt-get upadte && apt-get upgrade

h2. Harden Postfix

* Generate DH params, we don’t go with 2048-bit EDH as not all clients might support this
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

* Edit the main postfix config file:
nano /etc/postfix/
#* And add/modify the following parameters:
#the dh params
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

#enable ECDH
smtpd_tls_eecdh_grade = strong

#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3

#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high

#allowed ciphers for smtpd_tls_security_level=may
#smtpd_tls_ciphers = high

#enforce the server cipher preference
tls_preempt_cipherlist = yes

#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

#disable following ciphers for smtpd_tls_security_level=may
#smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = 1

#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = 1

* Restart postfix
service postfix restart

h2. Harden Dovecot

Dovecot tries to use Perfect Forward Secrecy by default, so besides the enabled SSL almost no actions are required.

* Edit the Dovecot config file:
nano /etc/dovecot/dovecot.conf
#* And add/modify the following:
# specify the cipher list to use

#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes

#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3

* Restart Dovecot:
service dovecot restart

h2. Testing

* Try SSLv2 which shouldn't work and just hang
openssl s_client -connect -ssl2

* Test smtp with starttls
openssl s_client -starttls smtp -connect

* Test imap with starttls
openssl s_client -starttls imap -connect