Better postfix tls

Yep we all be muppets

Bananas had tls setup badly* once on a postfix mail server and decided to fix it better, it worked inbound, but i had not bothered to do outbound.

I fiddle about and set

smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

Cipher.lst is helpfull here – As while i may have it, you cannot say 100% that everybody else can do it so enforce was out of the question due to a name mismatch on the certificate.

A Postfix upgrade (my blog) helped more.

Now you start with dnssec and dane.  No excuses now

* my blog it works but was not that usable.

 

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s