CONFIG SSL POUR POSTFIX (GNU/LINUX DEBIAN BUSTER)

Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du ssl sous Postfix. La configuration s’insére dans le fichier de configuration de Postfix “/etc/postfix/main.cf” :

smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache

smtp_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA12$
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLI$
smtp_tls_mandatory_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5, RC4
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5, RC4
tls_preempt_cipherlist = yes

smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1

# 4096 even 512 et 1024 inside directives names :)
# mkdir /etc/postfix/ssl; openssl dhparam -out /etc/postfix/ssl/dh4096.pem 4096
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh4096.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh4096.pem
smtpd_tls_received_header = yes

smtpd_tls_security_level = may
smtp_tls_security_level = dane

tls_high_cipherlist=EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:+AES128:+SSLv3:!aNULL:!eNU$

tls_ssl_options = no_ticket, no_compression, no_renegotiation

tls_random_source = dev:/dev/urandom

smtp_tls_note_starttls_offer = yes

# FOR DANE SUPPORT
smtp_dns_support_level=dnssec
smtp_host_lookup=dns

smtp_tls_key_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/privkey.pem
smtp_tls_cert_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/fullchain.pem
smtp_tls_CAfile = /etc/ssl/certs/ISRG_Root_X1.pem

smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/privkey.pem
smtpd_tls_cert_file = /etc/lets_encrypt/live/NOM_SERVEUR_POSTFIX/fullchain.pem
smtpd_tls_CAfile = /etc/ssl/certs/ISRG_Root_X1.pem

Ce contenu a été publié dans Configuration, Serveur, avec comme mot(s)-clé(s) , , , . Vous pouvez le mettre en favoris avec ce permalien.