Project

General

Profile

Feature #611

Configure Postfix and Dovecot To Use Forward Secrecy

Added by Daniel Curtis over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Curtis
Category:
Mail Server
Target version:
Debian
Start date:
05/02/2015
Due date:
% Done:

100%

Estimated time:
1.50 h
Spent time:
2.00 h

Description

This is a guide for setting up forward secrecy with Postfix and Dovecot mail services.

Prepare the Environment

  • Make sure the system is up to date:
    apt-get upadte && apt-get upgrade

Harden Postfix

  • Generate DH params, we don’t go with 2048-bit EDH as not all clients might support this
    openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
  • Edit the main postfix config file:
    nano /etc/postfix/main.cf
    • And add/modify the following parameters:
      #the dh params
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

#enable ECDH
smtpd_tls_eecdh_grade = strong

#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3

#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high

#allowed ciphers for smtpd_tls_security_level=may
#smtpd_tls_ciphers = high

#enforce the server cipher preference
tls_preempt_cipherlist = yes

#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

#disable following ciphers for smtpd_tls_security_level=may
#smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL

#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = 1

#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = 1
  • Restart postfix
    service postfix restart

Harden Dovecot

Dovecot tries to use Perfect Forward Secrecy by default, so besides the enabled SSL almost no actions are required.

  • Edit the Dovecot config file:
    nano /etc/dovecot/dovecot.conf
    • And add/modify the following:
      # specify the cipher list to use
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes

#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3
  • Restart Dovecot:
    service dovecot restart

Testing

  • Try SSLv2 which shouldn't work and just hang
    openssl s_client -connect mail.example.com:143 -ssl2
^C
  • Test smtp with starttls
    openssl s_client -starttls smtp -connect mail.example.com:25
quit
    • Truncated output:
      SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
  • Test imap with starttls
    openssl s_client -starttls imap -connect mail.example.com:143
logout
    • Truncated output:
      SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

      h2. Resources

Also available in: Atom PDF