Skip to content

M
mailinabox
Commit 45e93f7d authored by Joshua Tauberer's avatar Joshua Tauberer
Browse files
Options

strengthen the cyphers and protocols allowed by Dovecot and Postfix submission

parent 343886d8
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 7 deletions
setup/mail.sh
View file @ 45e93f7d
...@@ -34,15 +34,17 @@ tools/editconf.py /etc/postfix/main.cf \ ...@@ -34,15 +34,17 @@ tools/editconf.py /etc/postfix/main.cf \
smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://github.com/joshdata/mailinabox)" \ smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://github.com/joshdata/mailinabox)" \
mydestination=localhost mydestination=localhost
# Enable the 'submission' port 587 smtpd server, and give it a different # Enable the 'submission' port 587 smtpd server and tweak its settings.
# name in syslog to distinguish it from the port 25 smtpd server. # a) Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
# # but without affecting opportunistic TLS on incoming mail, which will allow any cipher (it's better than none).
# Add a new cleanup service specific to the submission service ('authclean') # b) Give it a different name in syslog to distinguish it from the port 25 smtpd server.
# that filters out privacy-sensitive headers on mail being sent out by # c) Add a new cleanup service specific to the submission service ('authclean')
# authenticated users. # that filters out privacy-sensitive headers on mail being sent out by
# authenticated users.
tools/editconf.py /etc/postfix/master.cf -s -w \ tools/editconf.py /etc/postfix/master.cf -s -w \
"submission=inet n - - - - smtpd "submission=inet n - - - - smtpd
-o syslog_name=postfix/submission -o syslog_name=postfix/submission
-o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3
-o cleanup_service_name=authclean" \ -o cleanup_service_name=authclean" \
"authclean=unix n - - - 0 cleanup "authclean=unix n - - - 0 cleanup
-o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters" -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters"
...@@ -237,11 +239,13 @@ tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \ ...@@ -237,11 +239,13 @@ tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \
# Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root. # Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root.
# Enable SSL and specify the location of the SSL certificate and private key files. # Enable SSL, specify the location of the SSL certificate and private key files,
# and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
ssl=required \ ssl=required \
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
"ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH"
# PERMISSIONS / RESTART SERVICES # PERMISSIONS / RESTART SERVICES
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023