From 098fb207e0282c5ee109711bd56df2ee91d91d34 Mon Sep 17 00:00:00 2001 From: Antoine Nguyen Date: Tue, 29 Mar 2016 14:57:41 +0200 Subject: [PATCH] Enable forward secrecy by default. fix #26 --- modoboa_installer/scripts/files/postfix/main.cf.tpl | 10 ++++++++++ modoboa_installer/scripts/postfix.py | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/modoboa_installer/scripts/files/postfix/main.cf.tpl b/modoboa_installer/scripts/files/postfix/main.cf.tpl index aadb8f4..700a532 100644 --- a/modoboa_installer/scripts/files/postfix/main.cf.tpl +++ b/modoboa_installer/scripts/files/postfix/main.cf.tpl @@ -27,11 +27,21 @@ smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_key_file = %tls_key_file smtpd_tls_cert_file = %tls_cert_file +smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache smtpd_tls_security_level = may smtpd_tls_received_header = yes +# Disallow SSLv2 and SSLv3, only accept secure ciphers +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_mandatory_ciphers = high +smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA +smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA + +# Enable elliptic curve cryptography +smtpd_tls_eecdh_grade = strong + ## Virtual transport settings # %{dovecot_enabled}virtual_transport = lmtp:unix:private/dovecot-lmtp diff --git a/modoboa_installer/scripts/postfix.py b/modoboa_installer/scripts/postfix.py index f6a3899..b9a8a63 100644 --- a/modoboa_installer/scripts/postfix.py +++ b/modoboa_installer/scripts/postfix.py @@ -62,3 +62,7 @@ class Postfix(base.Installer): .format(python_path, script_path, self.dbengine, " ".join(extensions), db_url, self.config_dir)) utils.exec_cmd(cmd) + + # Generate EDH parameters + cmd = "openssl dhparam -out dh2048.pem 2048" + utils.exec_cmd(cmd, cwd=self.config_dir)