Many server operators are now concerned about a secure connection for their web server, but most of them still forget to secure the mail server as well, although this can be done with just a few configuration lines. The prerequisite for this is that you already have an SSL certificate (the path to the certificate must be adapted in the following snippet).
The following configuration is added to **/etc/postfix/main.cf** at the end of the file:
# Aktiviert TLS
smtp_use_tls = yes
# Aktiviert das Logging
smtp_tls_loglevel = 1
# Unverschluesselte Verbindung erlauben (may = entscheidet der Client)
smtp_tls_security_level = may
# Pfade zu den Keys
smtp_tls_cert_file = /etc/ssl/certfile.crt
smtp_tls_key_file = /etc/ssl/keyfile.key
smtp_tls_CAfile = /etc/ssl/cabundle.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_mandatory_ciphers= high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
Then restart the mail server:
> /etc/init.d/postfix restart
You can test the new configuration with this website, for example:
Leave a comment now