Feature #611
Updated by Daniel Curtis over 9 years ago
This is a guide for setting up forward secrecy with Postfix and Dovecot mail services. h2. Prepare the Environment * Make sure the system is up to date: <pre> apt-get upadte && apt-get upgrade </pre> h2. Harden Postfix * Generate DH params, we don’t go with 2048-bit EDH as not all clients might support this <pre> openssl gendh -out /etc/postfix/dh_512.pem -2 512 openssl gendh -out /etc/postfix/dh_1024.pem -2 1024 </pre> * Edit the main postfix config file: <pre> nano /etc/postfix/main.cf </pre> #* And add/modify the following parameters: <pre> #the dh params smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem #enable ECDH smtpd_tls_eecdh_grade = strong #enabled SSL protocols, don't allow SSLv2 and SSLv3 smtpd_tls_protocols= !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3 #allowed ciphers for smtpd_tls_security_level=encrypt smtpd_tls_mandatory_ciphers = high #allowed ciphers for smtpd_tls_security_level=may #smtpd_tls_ciphers = high #enforce the server cipher preference tls_preempt_cipherlist = yes #disable following ciphers for smtpd_tls_security_level=encrypt smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL #disable following ciphers for smtpd_tls_security_level=may #smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL #enable TLS logging to see the ciphers for inbound connections smtpd_tls_loglevel = 1 #enable TLS logging to see the ciphers for outbound connections smtp_tls_loglevel = 1 </pre> * Restart postfix <pre> service postfix restart </pre> h2. Harden Dovecot Dovecot tries to use Perfect Forward Secrecy by default, so besides the enabled SSL almost no actions are required. * Edit the Dovecot config file: <pre> nano /etc/dovecot/dovecot.conf </pre> #* And add/modify the following: <pre> # specify the cipher list to use ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 #only for dovecot >=2.2.6, enforce the server cipher preference ssl_prefer_server_ciphers = yes #disable SSLv2 and SSLv3 ssl_protocols = !SSLv2 !SSLv3 </pre> * Restart Dovecot: <pre> service dovecot restart </pre> h2. Testing * Try SSLv2 which shouldn't work and just hang <pre> openssl s_client -connect mail.example.com:143 -ssl2 ^C </pre> * Test smtp with starttls <pre> openssl s_client -starttls smtp -connect mail.example.com:25 quit </pre> #* _Truncated output_: <pre> SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 </pre> * Test imap with starttls <pre> openssl s_client -starttls imap -connect mail.example.com:143 logout </pre> #* _Truncated output_: <pre> SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 </pre> h2. Resources * https://www.2realities.com/blog/2014/02/13/secure-ssl-configuration-for-apache-postfix-dovecot/