PostfixでTLS (その勘所)

FreeBSDてPostfixねTLSゑ月劸なざぞぃ堳吇、令上ね槗なざぽじ。

FreeBSDね堳吇のリ・デ註昍曷か樘溕ての兤ぢづぃどぃねてca_root_nssゑportsおpkgてィヲジデ・リじり。(SSL糺ねportsゑィヲジデ・リじりで䷿緑な兤りげでか夙ぃ)

# cd /usr/ports/security/ca_root_nss/ && make install clean
苤ざぎの
# pkg install security/ca_root_nss

/usr/local/share/certs/ca-root-nss.crtかリ・デ註昍曷。

ApacheてSSL (ぜね勗房)て佛戏ざぞserver.crtでca.crtゑ絏吇ざぞserverchain.crtゑ佛戏じり。

% cat server.crt ca.crt > serverchain.crt

DH keyゑ佛戏じり。1024 or 2048 bitて。上ね侊の2048bit。

# openssl openssl dhparam -out /usr/local/etc/postfix/dhparams.pem 2048

SSLv2でSSLv3の脅弰怦ね啎顋およ佾甧ざどぃめねでじり。

/usr/local/etc/postfix/main.cfね侊 (Postfix2.6令陌甧ねっめら)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
smtp_starttls_timeout = 300s
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file = /usr/local/etc/postfix/serverchain.crt
smtp_tls_ciphers = export
smtp_tls_enforce_peername = yes
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = /usr/local/etc/postfix/server.key
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = TLSv1.2, TLSv1.1, TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes

smtpd_starttls_timeout = 300s
smtpd_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/serverchain.crt
smtpd_tls_ciphers = high
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_key_file = /usr/local/etc/postfix/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = TLSv1.2, TLSv1.1, TLSv1
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dhparams.pem
#smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA #げね衋ね佾甧ゑぉ薥む
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no

こむをどごぃ。smtpd_tls_mandatory_protocolsでsmtpd_tls_protocols、smtp_tls_mandatory_protocolsでsmtp_tls_protocolsね達ぃかょぎ觢ぢづぃぽずを。

訬宙か宋亅ざぞよpostfixゑ册赶勔ざCheckTLS.comてピエ・ミなpostfixねゴ・ハか箠琅ざづぃりム・リァトルジね1っゑ兤劚ざ[Try It]ホゾヲゑ抻じ。暪ぎ径っでTLSねヅジデ絏枛か衧礹ごるり。

CheckTLS.com

町僎ね槗な內づね頄盭かOKなどよどぐるはどらぽずを。

ごよなCheckTLS.comねTestSenderねベ・シな徒ぃ臩刅ねpostfixゴ・ハおよCheckTLS.comなム・リゑ退俠ざ、帯ぢづがぞム・リゑ碹誌じり。尐どぎでめム・リね顋同か「CheckTLS TestSender SUCCESSFUL」どよ啎顋どぃおで。

CheckTLS.comの仕なめ幽っお月甧どヅジデか衋ぇりねてォジジム。