Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du ssl sous Postfix. La configuration s’insére dans le fichier de configuration de Postfix “/etc/postfix/main.cf” :
smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
smtp_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
smtp_tls_mandatory_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5, RC4
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5, RC4
tls_preempt_cipherlist = yes
smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
# 4096 even 512 et 1024 inside directives names :)
# mkdir /etc/postfix/ssl; openssl dhparam -out /etc/postfix/ssl/dh4096.pem 4096
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh4096.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh4096.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtp_tls_security_level = dane
tls_high_cipherlist=EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:+AES128:+SSLv3:!aNULL:!eNULL:
!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA
tls_ssl_options = no_ticket, no_compression, no_renegotiation
tls_random_source = dev:/dev/urandom
smtp_tls_note_starttls_offer = yes
# FOR DANE SUPPORT
smtp_dns_support_level=dnssec
smtp_host_lookup=dns
smtp_tls_key_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/privkey.pem
smtp_tls_cert_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/fullchain.pem
smtp_tls_CAfile = /etc/ssl/certs/ISRG_Root_X1.pem
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/privkey.pem
smtpd_tls_cert_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/fullchain.pem
smtpd_tls_CAfile = /etc/ssl/certs/ISRG_Root_X1.pem