After getting my web server ramping up on encryption, the next target is the mail delivery and transport agent. In my case this is postfix and here are the settings for the TLS part:
# TLS parameters
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/mail.klammeraffe.org/ca.crt
smtpd_tls_cert_file=/etc/ssl/mail.klammeraffe.org/mail.klammeraffe.org.pem
smtpd_tls_key_file=/etc/ssl/mail.klammeraffe.org/mail.klammeraffe.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/mail.klammeraffe.org/dh1024.pem
smtpd_tls_dh512_param_file = /etc/ssl/mail.klammeraffe.org/dh512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_ssl_options = NO_COMPRESSION
tls_preempt_cipherlist = yes
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Recent Comments