[Cryptography] ADMIN (sort of): Opportunistic TLS now turned on for list server
Perry E. Metzger
perry at piermont.com
Sun Jun 8 18:11:08 EDT 2014
On Mon, 9 Jun 2014 07:02:49 +1000 (EST) Dave Horsfall
<dave at horsfall.org> wrote:
> On Sun, 8 Jun 2014, Perry E. Metzger wrote:
>
> > Thanks to some help from Viktor Dukhovni, the mail server that
> > runs the list is now doing opportunistic TLS for SMTP connections.
>
> So we should probably start generating our own certificates?
If you're running postfix, this will give you fine results. (All this
courtesy of Viktor Dukhovni):
# cd /etc/postfix
# ( umask 077; openssl req -new
-newkey rsa:2048 -keyout /dev/stdout -nodes \
-x509 -subj "/CN=$(uname -n)" -days 3650 >> smtpd_cert.pem.tmp &&
mv smtpd_cert.pem.tmp smtpd_cert.pem )
# openssl dhparam -out dh2048.pem 2048
# openssl dhparam -out dh1024.pem 1024
# openssl dhparam -out dh512.pem 512
Then add this to your main.cf:
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_scache smtpd_tls_cert_file =
${config_directory}/smtpd_cert.pem
# MTAs are generally able to support 2048-bit EDH as clients.
#
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
Note that the use of dh2048 with the smtpd_tls_dh1024_param_file
config variable is *not* a misprint.
Anyway, for a small site running a reasonably recent postfix, do this,
reload your configs, and you're probably good to go. If you have very
old clients submitting to the host in question, they may need an
override on the options for the submission daemon in master.cf:
-o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem
but I haven't seen any need for that with modern client machines.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list