Feature #611
Updated by Daniel Curtis over 9 years ago
This is a guide for setting up forward secrecy with Postfix and Dovecot mail services.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
apt-get upadte && apt-get upgrade
</pre>
h2. Harden Postfix
* Generate DH params, we don’t go with 2048-bit EDH as not all clients might support this
<pre>
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
</pre>
* Edit the main postfix config file:
<pre>
nano /etc/postfix/main.cf
</pre>
#* And add/modify the following parameters:
<pre>
#the dh params
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
#enable ECDH
smtpd_tls_eecdh_grade = strong
#enabled SSL protocols, don't allow SSLv2 and SSLv3
smtpd_tls_protocols= !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3
#allowed ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_ciphers = high
#allowed ciphers for smtpd_tls_security_level=may
#smtpd_tls_ciphers = high
#enforce the server cipher preference
tls_preempt_cipherlist = yes
#disable following ciphers for smtpd_tls_security_level=encrypt
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
#disable following ciphers for smtpd_tls_security_level=may
#smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
#enable TLS logging to see the ciphers for inbound connections
smtpd_tls_loglevel = 1
#enable TLS logging to see the ciphers for outbound connections
smtp_tls_loglevel = 1
</pre>
* Restart postfix
<pre>
service postfix restart
</pre>
h2. Harden Dovecot
Dovecot tries to use Perfect Forward Secrecy by default, so besides the enabled SSL almost no actions are required.
* Edit the Dovecot config file:
<pre>
nano /etc/dovecot/dovecot.conf
</pre>
#* And add/modify the following:
<pre>
# specify the cipher list to use
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
#only for dovecot >=2.2.6, enforce the server cipher preference
ssl_prefer_server_ciphers = yes
#disable SSLv2 and SSLv3
ssl_protocols = !SSLv2 !SSLv3
</pre>
* Restart Dovecot:
<pre>
service dovecot restart
</pre>
h2. Testing
* Try SSLv2 which shouldn't work and just hang
<pre>
openssl s_client -connect mail.example.com:143 -ssl2
^C
</pre>
* Test smtp with starttls
<pre>
openssl s_client -starttls smtp -connect mail.example.com:25
quit
</pre>
* Test imap with starttls
<pre>
openssl s_client -starttls imap -connect mail.example.com:143
logout
</pre>
h2. Resources
* https://www.2realities.com/blog/2014/02/13/secure-ssl-configuration-for-apache-postfix-dovecot/