Antoine Nguyen
@@ -41,10 +41,11 @@ ssl_key = <%tls_key_file
|
||||
#ssl_parameters_regenerate = 168
|
||||
|
||||
# SSL protocols to use
|
||||
#ssl_protocols = !SSLv2
|
||||
ssl_protocols = !SSLv2 !SSLv3
|
||||
|
||||
|
||||
# SSL ciphers to use
|
||||
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
|
||||
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
|
||||
|
||||
# SSL crypto device to use, for valid values run "openssl engine"
|
||||
#ssl_crypto_device =
|
||||
|
||||
@@ -16,9 +16,11 @@ server {
|
||||
ssl_certificate %tls_cert_file;
|
||||
ssl_certificate_key %tls_key_file;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_verify_depth 3;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
||||
client_max_body_size 10M;
|
||||
|
||||
|
||||
@@ -34,10 +34,11 @@ smtpd_tls_security_level = may
|
||||
smtpd_tls_received_header = yes
|
||||
|
||||
# Disallow SSLv2 and SSLv3, only accept secure ciphers
|
||||
smtpd_tls_protocols = !SSLv2, !SSLv3
|
||||
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
|
||||
smtpd_tls_mandatory_ciphers = high
|
||||
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
|
||||
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
|
||||
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
|
||||
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
|
||||
|
||||
# Enable elliptic curve cryptography
|
||||
smtpd_tls_eecdh_grade = strong
|
||||
@@ -45,6 +46,7 @@ smtpd_tls_eecdh_grade = strong
|
||||
# Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_loglevel = 1
|
||||
smtp_tls_exclude_ciphers = EXPORT, LOW
|
||||
|
||||
## Virtual transport settings
|
||||
#
|
||||
|
||||
@@ -19,6 +19,7 @@ tlsproxy unix - - - - 0 tlsproxy
|
||||
submission inet n - - - - smtpd
|
||||
-o syslog_name=postfix/submission
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o tls_preempt_cipherlist=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_reject_unlisted_recipient=no
|
||||
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||
|
||||
Reference in New Issue
Block a user