TLS Hardening: Postfix

Dealing w/ TLS in postfix is straightforward, but there are too many options to list them all. As a prerequisite, a researcher maybe wants to be able to look at TLS information in more detail - in the logs of the server, as well as in the header of the mail itself.

This can be achieved by setting
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
in /etc/postfix/ Furthermore, if not already set
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_security_level = may
lmtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
also makes sense, but still gives us a C+ rating. Folks at Qualys recommend
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_legacy_public_key_fingerprints = no
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
but this also gives us C+. Doing more research, we finally get a B - still w/ a self-signed cert - by using
tls_legacy_public_key_fingerprints = no
tls_null_cipherlist = eNULL:!aNULL
Together w/ a letsencrypt cert, we finally receive an A grade and full PCI-DSS compliance. Mission accomplished! P.S.: If you are interested in a complete TLSv1.2 cipherlist, just issue
openssl ciphers TLSv1.2
Addendum: If you are on the lookout for governments deploying weak encryption, then this is for you:
May 5 01:44:08 isp postfix/smtpd[24611]: connect from[]
 May 5 01:44:09 isp postfix/smtpd[24611]: SSL_accept error from[]: -1
 May 5 01:44:09 isp postfix/smtpd[24611]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1440:
 May 5 01:44:09 isp postfix/smtpd[24611]: lost connection after STARTTLS from[]
 May 5 01:44:09 isp postfix/smtpd[24611]: disconnect from[]
A small snippet to look for more of that kind:
# See which clients try to connect w/ old and insecure SSL
grep "accept error" $1 | cut -d ":" -f 4 | sort | uniq
exit 0


Comments powered by Disqus