Securing postfix with SSL/TLS on RHEL5
Securing postfix (postfix-2.3.3-7.el5) that uses openssl
This article is part of the Securing Applications Collection
Configuration File
/etc/postfix/main.cf
shortform
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES
Warning
postfix on RHEL5 only allows control of the protocol and/or ciphers when
smtpd_tls_security_level = encrypt
If the setting is
smtpd_tls_security_level = may
then all protocols are allowed, and export grade or better ciphers are used.
Protocols
smtpd_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_protocols = TLSv1
TLSv1
Protocol - Alternative Values
smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtp_tls_mandatory_protocols = SSLv3, TLSv1
Allow SSLv3 or better
Ciphers
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES
ciphers provided in openssl's HIGH category, excluding DES-based ciphers to avoid SWEET32 attack
Ciphers - Alternative Values
smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = medium
ciphers provided in openssl's MEDIUM or better category
Certificate Handling
postfix uses a key file and certificates file.
Key File
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
key should be readable only by root
Certificate File
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
Should contain the server certificate followed by any intermediate certificates and then the root certificate.
Diffie-Helman Parameter File
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
The use of stronger ciphers can be enabled by ensuring there is a Diffie-Helman parameter file available
This file should be renewed on a periodic (weekly) basis.openssl dhparam -out /etc/pki/tls/private/postfix.dh.param.tmp 1024 mv /etc/pki/tls/private/postfix.dh.param.tmp /etc/pki/tls/private/postfix.dh.param
Comments