|
|
|
|
@ -29,6 +29,10 @@ relayhost = {{ RELAYHOST }}
|
|
|
|
|
# TLS
|
|
|
|
|
###############
|
|
|
|
|
|
|
|
|
|
# General TLS configuration
|
|
|
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
|
|
|
tls_preempt_cipherlist = yes
|
|
|
|
|
|
|
|
|
|
# Only one key/certificate pair is used, SNI not being supported by all
|
|
|
|
|
# services and not a strong requirement. Also, TLS is enforced for submission
|
|
|
|
|
# and smtps in master.cf.
|
|
|
|
|
@ -40,9 +44,11 @@ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
|
|
|
|
# Server-side TLS is hardened, it should be up to the client to update his or
|
|
|
|
|
# her TLS stack in order to connect to the mail server. Hardening is based on
|
|
|
|
|
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
|
|
|
|
|
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
|
|
|
|
smtpd_tls_protocols = !SSLv2, !SSLv3
|
|
|
|
|
smtpd_tls_ciphers = high
|
|
|
|
|
smtpd_tls_mandatory_ciphers = high
|
|
|
|
|
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Outgoing TLS is more flexible because 1. not all receiving servers will
|
|
|
|
|
# support TLS, 2. not all will have and up-to-date TLS stack.
|
|
|
|
|
|
Pierre Jaury
8 years ago