Nist tls (#831)
* remove two ciphers according to https://www.htbridge.com/ssl/ (NIST, HIPAA) * added a switch via an environment variable to choose between modern and intermediate ciphers
This commit is contained in:
Marek Walczak
Johan Smits
parent
eb20722b80
commit
c36e878d76
|
|
@ -247,6 +247,13 @@ Otherwise, `iptables` won't be able to ban IPs.
|
|||
|
||||
Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information.
|
||||
|
||||
##### TLS_LEVEL
|
||||
|
||||
- **empty** => modern
|
||||
- modern => Enables TLSv1.2 and modern ciphers only. (default)
|
||||
- intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
|
||||
- old => NOT implemented. If you really need it, then customize the TLS ciphers overriding postfix and dovecot settings [ wiki](https://github.com/tomav/docker-mailserver/wiki/
|
||||
|
||||
##### PERMIT_DOCKER
|
||||
|
||||
Set different options for mynetworks option (can be overwrite in postfix-main.cf)
|
||||
|
|
|
|||
|
|
@ -46,10 +46,10 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
|
|||
ssl_dh_parameters_length = 2048
|
||||
|
||||
# SSL protocols to use
|
||||
ssl_protocols = !SSLv3
|
||||
ssl_protocols = !SSLv3,!TLSv1,!TLSv1.1
|
||||
|
||||
# SSL ciphers to use
|
||||
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
|
||||
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
|
||||
# Prefer the server's order of ciphers over client's.
|
||||
ssl_prefer_server_ciphers = yes
|
||||
|
|
|
|||
|
|
@ -28,12 +28,12 @@ smtpd_tls_loglevel = 1
|
|||
smtp_tls_security_level = may
|
||||
smtp_tls_loglevel = 1
|
||||
tls_ssl_options = NO_COMPRESSION
|
||||
tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
|
||||
tls_high_cipherlist=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
tls_preempt_cipherlist = yes
|
||||
smtpd_tls_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
||||
smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
||||
smtpd_tls_mandatory_ciphers = high
|
||||
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
|
||||
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
||||
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
||||
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
|
||||
smtpd_tls_CApath = /etc/ssl/certs
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ DEFAULT_VARS["SMTP_ONLY"]="${SMTP_ONLY:="0"}"
|
|||
DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}"
|
||||
DEFAULT_VARS["OVERRIDE_HOSTNAME"]="${OVERRIDE_HOSTNAME}"
|
||||
DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}"
|
||||
DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}"
|
||||
##########################################################################
|
||||
# << DEFAULT VARS
|
||||
##########################################################################
|
||||
|
|
@ -731,7 +732,37 @@ function _setup_dkim() {
|
|||
function _setup_ssl() {
|
||||
notify 'task' 'Setting up SSL'
|
||||
|
||||
# SSL Configuration
|
||||
# TLS strength/level configuration
|
||||
case $TLS_LEVEL in
|
||||
"modern" )
|
||||
# Postfix configuration
|
||||
sed -i -r 's/^smtpd_tls_mandatory_protocols=.*$/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1/' /etc/postfix/main.cf
|
||||
sed -i -r 's/^smtpd_tls_protocols=.*$/smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1/' /etc/postfix/main.cf
|
||||
sed -i -r 's/^smtp_tls_protocols=.*$/smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1/' /etc/postfix/main.cf
|
||||
sed -i -r 's/^tls_high_cipherlist=.*$/tls_high_cipherlist=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256/' /etc/postfix/main.cf
|
||||
|
||||
# Dovecot configuration
|
||||
sed -i -r 's/^ssl_protocols = .*$/ssl_protocols = !SSLv3,!TLSv1,!TLSv1.1/' /etc/dovecot/conf.d/10-ssl.conf
|
||||
sed -i -r 's/^ssl_cipher_list = .*$/ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256/' /etc/dovecot/conf.d/10-ssl.conf
|
||||
|
||||
notify 'inf' "TLS configured with 'modern' ciphers"
|
||||
;;
|
||||
"intermediate" )
|
||||
# Postfix configuration
|
||||
sed -i -r 's/^smtpd_tls_mandatory_protocols=.*$/smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3/' /etc/postfix/main.cf
|
||||
sed -i -r 's/^smtpd_tls_protocols=.*$/smtpd_tls_protocols=!SSLv2,!SSLv3/' /etc/postfix/main.cf
|
||||
sed -i -r 's/^smtp_tls_protocols=.*$/smtp_tls_protocols=!SSLv2,!SSLv3/' /etc/postfix/main.cf
|
||||
sed -i -r 's/^tls_high_cipherlist=.*$/tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS/' /etc/postfix/main.cf
|
||||
|
||||
# Dovecot configuration
|
||||
sed -i -r 's/^ssl_protocols = .*$/ssl_protocols = !SSLv3/' /etc/dovecot/conf.d/10-ssl.conf
|
||||
sed -i -r 's/^ssl_cipher_list = .*$/ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS/' /etc/dovecot/conf.d/10-ssl.conf
|
||||
|
||||
notify 'inf' "TLS configured with 'intermediate' ciphers"
|
||||
;;
|
||||
esac
|
||||
|
||||
# SSL certificate Configuration
|
||||
case $SSL_TYPE in
|
||||
"letsencrypt" )
|
||||
# letsencrypt folders and files mounted in /etc/letsencrypt
|
||||
|
|
|
|||
|
|
@ -46,10 +46,10 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
|
|||
#ssl_dh_parameters_length = 1024
|
||||
|
||||
# SSL protocols to use
|
||||
ssl_protocols = !SSLv3
|
||||
ssl_protocols = !SSLv3,!TLSv1,!TLSv1.1
|
||||
|
||||
# SSL ciphers to use
|
||||
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
|
||||
# Prefer the server's order of ciphers over client's.
|
||||
ssl_prefer_server_ciphers = yes
|
||||
|
|
|
|||
Loading…
Reference in New Issue