Simple Postfix Hardening

ADD TO  /etc/postfix/main.cf

vi /etc/postfix/main.cf

 

# Hardening SSL configuration
#

# enable opportunistic TLS support in the SMTP server and client
smtp_tls_security_level = may
smtp_tls_loglevel = 1

# only offer authentication after STARTTLS
smtpd_tls_auth_only = yes

# Disable SSL compression
tls_ssl_options = NO_COMPRESSION

# Disable SSLv2 and SSLv3 leaving TLSv1, TLSv1.1 and TLSv1.2 enabled.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3

# Configure the allowed cipher list
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# Enable EECDH key exchange for Forward Security
smtpd_tls_eecdh_grade=ultra

2 thoughts on “Simple Postfix Hardening

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + 10 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.