chris_cross
New Pleskian
Dear colleagues,
I tried to harden our plesk servers and encountered a problem with switching to individual dh keys.
We are running Postfix version 2.9.6-2 on Debian 7 boxes with Plesk 12.
First I removed SSLv3 and limited the Ciphers as proposed on the Guide to Deploying Diffie-Hellman for TLS. All excluded Ciphers won't be served. Never the less the newly created individual 2048bit DH key under /etc/ssl/dhparam.pem would not be used.
The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.
So I was wondering what is missing. I checked the postfix documentation, but could not find further help there.
I´ve kept the master.cf as is and changed the main.cf to this:
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_cert_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_key_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem # this is an individual 2048bit key
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_ciphers = high
Do I have to modify the master.cf as well?
Here I found entries for every domain/ip:
plesk-domainname.com-1.2.3.4 - unix - n n - - smtp -o smtp_bind_address=1.2.3.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domainname.com
Do I have to add the -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file to those entries? I want to keep the setting permanent. I experienced in the past, that plesk tends to overwrite the setting I´ve made.
Does someone have a "best practise" for Postfix with Plesk for high security?
Finally I want to use only TLS1 - TLS1.2, secure ciphers and 2048 Diffie-Hellmann keys.
Thanks
Chris
I tried to harden our plesk servers and encountered a problem with switching to individual dh keys.
We are running Postfix version 2.9.6-2 on Debian 7 boxes with Plesk 12.
First I removed SSLv3 and limited the Ciphers as proposed on the Guide to Deploying Diffie-Hellman for TLS. All excluded Ciphers won't be served. Never the less the newly created individual 2048bit DH key under /etc/ssl/dhparam.pem would not be used.
The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.
So I was wondering what is missing. I checked the postfix documentation, but could not find further help there.
I´ve kept the master.cf as is and changed the main.cf to this:
smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_cert_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_key_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem # this is an individual 2048bit key
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_ciphers = high
Do I have to modify the master.cf as well?
Here I found entries for every domain/ip:
plesk-domainname.com-1.2.3.4 - unix - n n - - smtp -o smtp_bind_address=1.2.3.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domainname.com
Do I have to add the -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file to those entries? I want to keep the setting permanent. I experienced in the past, that plesk tends to overwrite the setting I´ve made.
Does someone have a "best practise" for Postfix with Plesk for high security?
Finally I want to use only TLS1 - TLS1.2, secure ciphers and 2048 Diffie-Hellmann keys.
Thanks
Chris