With new GDPR rules, users are requesting safer configuration for mail and HTTP servers.
Do we need to change our defaults or simply add a new checkbox to enforce following options?
Apache
Disable SSLv2, SSLv3 and improve ciphers.
We currently don’t have a page inside the Server Manager to expose such configuration.
Some other open questions:
- Does this configuration should be applied to all virtual hosts? And what about the default one?
- Should httpd-admin always have a more stricter SSL configuration?
References:
Postfix: remove Gmail red paddlock
Whenever possible, use TLS encryption for SMTP.
Tested and safe Postfix configuration:
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
Reference log from Postfix:
Feb 9 16:46:50 support postfix/smtp[1473]: setting up TLS connection to aspmx.l.google.com[2a00:1450:4013:c00::1a]:25
Feb 9 16:46:50 support postfix/smtp[1473]: certificate verification failed for aspmx.l.google.com[2a00:1450:4013:c00::1a]:25: untrusted issuer /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Feb 9 16:46:50 support postfix/smtp[1476]: setting up TLS connection to gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1b]:25
Feb 9 16:46:50 support postfix/smtp[1473]: Untrusted TLS connection established to aspmx.l.google.com[2a00:1450:4013:c00::1a]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
References:
- Email Encryption FAQs - Transparency Report Help Center
- https://www.quora.com/Received-an-email-from-Google-with-a-red-unlocked-sign-that-says-this-message-was-not-encrypted-What-does-it-mean
Postfix: disable old ciphers
Postfix configuration:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
Reference:
/cc @dev_team