Project

General

Profile

Feature #611

Updated by Daniel Curtis over 5 years ago

This is a guide for setting up forward secrecy with Postfix and Dovecot mail services.

h2. Prepare the Environment

* Make sure the system is up to date:
<pre>
apt-get upadte && apt-get upgrade
</pre>

h2. Harden Postfix

* Generate DH params, we don’t go with 2048-bit EDH as not all clients might support this
<pre>
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
</pre>

* Edit the main postfix config file:
<pre>
nano /etc/postfix/main.cf
</pre>
#* And add/modify the following parameters:
<pre>
#the dh params
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

#enable ECDH
smtpd_tls_eecdh_grade = strong

#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3

#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high

#allowed ciphers for smtpd_tls_security_level=may
#smtpd_tls_ciphers = high

#enforce the server cipher preference
tls_preempt_cipherlist = yes

#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

#disable following ciphers for smtpd_tls_security_level=may
#smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = 1

#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = 1
</pre>

* Restart postfix
<pre>
service postfix restart
</pre>

h2. Harden Dovecot

Dovecot tries to use Perfect Forward Secrecy by default, so besides the enabled SSL almost no actions are required.

* Edit the Dovecot config file:
<pre>
nano /etc/dovecot/dovecot.conf
</pre>
#* And add/modify the following:
<pre>
# specify the cipher list to use
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes

#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3
</pre>

* Restart Dovecot:
<pre>
service dovecot restart
</pre>

h2. Testing

* Try SSLv2 which shouldn't work and just hang
<pre>
openssl s_client -connect mail.example.com:143 -ssl2
^C
</pre>

* Test smtp with starttls
<pre>
openssl s_client -starttls smtp -connect mail.example.com:25
quit
</pre>
#* _Truncated output_:
<pre>
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
</pre>


* Test imap with starttls
<pre>
openssl s_client -starttls imap -connect mail.example.com:143
logout
</pre>
#* _Truncated output_:
<pre>
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
</pre>


h2. Resources

* https://www.2realities.com/blog/2014/02/13/secure-ssl-configuration-for-apache-postfix-dovecot/

Back