CONFIG SSL POUR POSTFIX (GNU/LINUX DEBIAN BUSTER)

Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du ssl sous Postfix. La configuration s’insére dans le fichier de configuration de Postfix “/etc/postfix/main.cf” :

smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache

smtp_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA12$
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLI$
smtp_tls_mandatory_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5, RC4
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5, RC4
tls_preempt_cipherlist = yes

smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1

# 4096 even 512 et 1024 inside directives names :)
# mkdir /etc/postfix/ssl; openssl dhparam -out /etc/postfix/ssl/dh4096.pem 4096
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh4096.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh4096.pem
smtpd_tls_received_header = yes

smtpd_tls_security_level = may
smtp_tls_security_level = dane

tls_high_cipherlist=EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:+AES128:+SSLv3:!aNULL:!eNU$

tls_ssl_options = no_ticket, no_compression, no_renegotiation

tls_random_source = dev:/dev/urandom

smtp_tls_note_starttls_offer = yes

# FOR DANE SUPPORT
smtp_dns_support_level=dnssec
smtp_host_lookup=dns

smtp_tls_key_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/privkey.pem
smtp_tls_cert_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/fullchain.pem
smtp_tls_CAfile = /etc/ssl/certs/ISRG_Root_X1.pem

smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/privkey.pem
smtpd_tls_cert_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/fullchain.pem
smtpd_tls_CAfile = /etc/ssl/certs/ISRG_Root_X1.pem

Publié dans Configuration, Serveur | Marqué avec , , , | Laisser un commentaire

CONFIG SSL POUR DOVECOT (GNU/LINUX DEBIAN BUSTER)

Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du ssl sous Dovecot. Le fichier “10-ssl.conf” sera placé dans le répertoire “/etc/dovecot/conf.d/” :

#### SSL Settings.
ssl = required
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

ssl_prefer_server_ciphers = yes
# mkdir /etc/dovecot/ssl; openssl dhparam -out /etc/dovecot/ssl/dh4096.pem 4096
ssl_dh = </etc/dovecot/ssl/dh4096.pem
# ( P-384 = secp384r1 )
ssl_curve_list = P-384:X448:X25519
# no ticket et default no compression
ssl_options = no_ticket
ssl_min_protocol = TLSv1.2
# trusted certificat of let's encrypt in ca-certificates debian package
ssl_client_ca_dir = /etc/ssl/certs
ssl_ca = </etc/ssl/certs/ISRG_Root_X1.pem
# Vos certificats
ssl_cert = </etc/lets_encrypt/live/NOM_SERVER_MAIL/fullchain.pem
ssl_key = </etc/lets_encrypt/live/NOM_SERVER_MAIL/privkey.pem

Publié dans Configuration, Serveur | Marqué avec , , , | Laisser un commentaire

CONFIG SSL POUR NGINX (GNU/LINUX DEBIAN BUSTER)

Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du https. Le fichier “ssl.conf” sera placé dans le répertoire “/etc/nginx/conf.d/” :

# We track the Mozilla compatibility TLS recommendations.
# Note that these settings are repeated in the SMTP and IMAP configuration.
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-ES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
# enables server-side if protection from BEAST attacks
ssl_prefer_server_ciphers off;
# openssl dhparam -out /etc/nginx/ssl/dh4096.pem 4096
ssl_dhparam /etc/nginx/ssl/dh4096.pem;
ssl_ecdh_curve secp384r1;
# http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_session_tickets off;
ssl_session_cache shared:SSL:20m; # around 70000 sessions
ssl_session_timeout 1d;
# Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY
ssl_buffer_size 1400;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
# with use of ca-certificates Gnu/Linux Debian package
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ISRG_Root_X1.pem;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
ssl_protocols TLSv1.2 TLSv1.3;

Publié dans Configuration, Serveur | Marqué avec , , , , | Laisser un commentaire