From 84ad8e80b99e23a01cd02f0bd8c1cf92ada94b2e Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Wed, 7 Dec 2016 16:57:12 +0100
Subject: [PATCH] Better (more secure) config.

see #75
---
 .../scripts/files/dovecot/conf.d/10-ssl.conf.tpl            | 5 +++--
 modoboa_installer/scripts/files/nginx/nginx.conf.tpl        | 4 +++-
 modoboa_installer/scripts/files/postfix/main.cf.tpl         | 6 ++++--
 modoboa_installer/scripts/files/postfix/master.cf.tpl       | 1 +
 modoboa_installer/scripts/nginx.py                          | 4 ++++
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl b/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl
index a368d5c..93f4d9a 100644
--- a/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl
+++ b/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl
@@ -41,10 +41,11 @@ ssl_key = <%tls_key_file
 #ssl_parameters_regenerate = 168
 
 # SSL protocols to use
-#ssl_protocols = !SSLv2
+ssl_protocols = !SSLv2 !SSLv3
+
 
 # SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
diff --git a/modoboa_installer/scripts/files/nginx/nginx.conf.tpl b/modoboa_installer/scripts/files/nginx/nginx.conf.tpl
index 18d9703..5172b80 100644
--- a/modoboa_installer/scripts/files/nginx/nginx.conf.tpl
+++ b/modoboa_installer/scripts/files/nginx/nginx.conf.tpl
@@ -16,9 +16,11 @@ server {
     ssl_certificate %tls_cert_file;
     ssl_certificate_key %tls_key_file;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
     ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
     ssl_verify_depth 3;
+    ssl_dhparam /etc/nginx/dhparam.pem;
 
     client_max_body_size 10M;
 
diff --git a/modoboa_installer/scripts/files/postfix/main.cf.tpl b/modoboa_installer/scripts/files/postfix/main.cf.tpl
index 1c3ca62..b216345 100644
--- a/modoboa_installer/scripts/files/postfix/main.cf.tpl
+++ b/modoboa_installer/scripts/files/postfix/main.cf.tpl
@@ -34,10 +34,11 @@ smtpd_tls_security_level = may
 smtpd_tls_received_header = yes
 
 # Disallow SSLv2 and SSLv3, only accept secure ciphers
+smtpd_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers = high
-smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
-smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
+smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
 
 # Enable elliptic curve cryptography
 smtpd_tls_eecdh_grade = strong
@@ -45,6 +46,7 @@ smtpd_tls_eecdh_grade = strong
 # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
 smtp_tls_security_level = may
 smtp_tls_loglevel = 1
+smtp_tls_exclude_ciphers = EXPORT, LOW
 
 ## Virtual transport settings
 #
diff --git a/modoboa_installer/scripts/files/postfix/master.cf.tpl b/modoboa_installer/scripts/files/postfix/master.cf.tpl
index 3bc2acb..dcbe2bf 100644
--- a/modoboa_installer/scripts/files/postfix/master.cf.tpl
+++ b/modoboa_installer/scripts/files/postfix/master.cf.tpl
@@ -19,6 +19,7 @@ tlsproxy  unix  -       -       -       -       0       tlsproxy
 submission inet n       -       -       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
+  -o tls_preempt_cipherlist=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
diff --git a/modoboa_installer/scripts/nginx.py b/modoboa_installer/scripts/nginx.py
index 40ccb32..a4a6b59 100644
--- a/modoboa_installer/scripts/nginx.py
+++ b/modoboa_installer/scripts/nginx.py
@@ -53,3 +53,7 @@ class Nginx(base.Installer):
             group = "uwsgi"
             user = "nginx"
         system.add_user_to_group(user, group)
+
+        if not os.path.exists("{}/dhparam.pem".format(self.config_dir)):
+            cmd = "openssl dhparam -out dhparam.pem 4096"
+            utils.exec_cmd(cmd, cwd=self.config_dir)