Enable forward secrecy by default.

fix #26

modoboa_installer/scripts/files/postfix/main.cf.tpl

@@ -27,11 +27,21 @@ smtpd_use_tls = yes
 smtpd_tls_auth_only = no
 smtpd_tls_key_file = %tls_key_file
 smtpd_tls_cert_file = %tls_cert_file
+smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_security_level = may
 smtpd_tls_received_header = yes
 
+# Disallow SSLv2 and SSLv3, only accept secure ciphers
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
+smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
+
+# Enable elliptic curve cryptography
+smtpd_tls_eecdh_grade = strong
+
 ## Virtual transport settings
 #
 %{dovecot_enabled}virtual_transport = lmtp:unix:private/dovecot-lmtp

modoboa_installer/scripts/postfix.py

@@ -62,3 +62,7 @@ class Postfix(base.Installer):
             .format(python_path, script_path, self.dbengine,
                     " ".join(extensions), db_url, self.config_dir))
         utils.exec_cmd(cmd)
+
+        # Generate EDH parameters
+        cmd = "openssl dhparam -out dh2048.pem 2048"
+        utils.exec_cmd(cmd, cwd=self.config_dir)