Ssl

如何在 Postfix 2.11 中強制使用自己的一組密碼?

  • January 7, 2021

我想強制使用一套自己的 TLS 密碼套件,而不是使用內置的 Postfix。

我想要的一組密碼是(取自 nginx 配置):

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

不幸的是,我找不到覆蓋密碼套件的參考。我發現通知是可能的,但不是如何。

smtp和的等效 Postfix 配置看起來如何smtpd

使用 Debian/7、Postfix/2.11.2、OpenSSL/1.0.1e

來自Bettercrypto.org應用加密強化

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

$$ UPDATE: As the bettercrypto project, where I have the cipher-string from, is no longer active, make sure to chose your cipher-string from a current source. $$ 因為master.cf您可能只想將送出埠配置為 TLS:

submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes

但是,這並不禁止使用過時的密碼來保證安全級別*,*根據pull request #97,您可以這樣做:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

但這並沒有與以下原因合併:

我將關閉它,SSLv3 在這裡很有意義,因為它比好的 ol’ 純文字更好。

引用自:https://serverfault.com/questions/670348