Securing postfix with SSL/TLS on RHEL6
Securing postfix (postfix-2.6.6-8.el6) that uses openssl
This article is part of the Securing Applications Collection
Configuration File
/etc/postfix/main.cf
shortform
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
Warning
postfix on RHEL6 only allows control of the protocol and/or ciphers when
smtpd_tls_security_level = encrypt
If the setting is
smtpd_tls_security_level = may
then all protocols are allowed, and export grade or better ciphers are used.
Protocols
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
TLSv1 or better
Protocol - Alternative Values
smtpd_tls_mandatory_protocols = TLSv1.2, !TLSv1, !TLSv1.1, !SSLv3, !SSLv2 smtpd_tls_protocols = TLSv1.2, !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 smtp_tls_mandatory_protocols = TLSv1.2, !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 smtp_tls_protocols = TLSv1.2, !TLSv1.1, !TLSv1, !SSLv3, !SSLv2Disable everything except TLSv1.2. Note that this will currently result in rejection of some encrypted traffic in anything other than a closed environment.
smtpd_tls_mandatory_protocols = !SSLv2 smtpd_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_protocols = !SSLv2Allow SSLv3 or better
Ciphers
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES
ciphers provided in openssl's HIGH category, excluding DES-based ciphers to avoid SWEET32 attack
Ciphers - Alternative Values
smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = mediumciphers provided in openssl's MEDIUM or better category
Certificate Handling
postfix uses a key file and certificates file.
Key File
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
key should be readable only by root
Certificate File
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
Should contain the server certificate followed by any intermediate certificates and then the root certificate.
Diffie-Helman Parameter File
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
The use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.openssl dhparam -out /etc/pki/tls/private/postfix.dh.param.tmp 1024 mv /etc/pki/tls/private/postfix.dh.param.tmp /etc/pki/tls/private/postfix.dh.param
Comments