SSL / TLS Frage

Günther J. Niederwimmer gjn at gjn.priv.at
Sa Feb 24 15:54:59 CET 2018


Hallo Liste,

könnte einer von EUCH Profis mal auf meine TLS Einstellungen schauen ?

Nach Durchforstung des Netzes, bin ich mir nicht mehr sicher ob das alles so 
stimmt was ich da eingetragen habe und ob das alles auf dem letzten Stand ist.

Ich hänge mal postconf -n an und hoffe ich bekomme Antworten ;-)

-- 
mit freundlichen Grüssen / best regards,

  Günther J. Niederwimmer
-------------- nächster Teil --------------
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_database_type = btree
html_directory = no
inet_interfaces = all
lmtp_dns_support_level = dnssec
lmtp_tls_protocols = $smtp_tls_protocols
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
milter_rcpt_macros = i {rcpt_addr}
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
myhostname = mx01.4gjn.com
mynetworks = 89.xxx.xxx.0/28 127.0.0.0/8 192.168.xxx.0/24 [::ffff:127.0.0.0]/104 [::1]/128 [2001:470:xxx:xxx::]/64
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 bl.mailspike.net*2 b.barracudacentral.org*1 bad.psky.me*2 psbl.surriel.com*1 bl.blocklist.de*1 bl.spamcop.net*2 spam.spamrats.com*1 bl.spameatingmonkey.net*1 dnsbl.cobion.com*1 ix.dnsbl.manitu.net*2 hostkarma.junkemailfilter.com*1 dnsbl.inps.de*1 list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].[2..3]*-3 iadb.isipp.com=127.0.[0..255].[0..255]*-2 iadb.isipp.com=127.3.100.[6..200]*-2 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 1d
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = static:all
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_delimiter = +
relay_domains = btree:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix3-3.2.4/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_dns_support_level = dnssec
smtp_sasl_security_options = noplaintext, noanonymous
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_exclude_ciphers = aNULL eNULL EXPORT DES 3DES RC4 MD5 PSK aECDH EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA AES128-SHA DHE-RSA-AES128-SHA AES256-SHA DHE-RSA-AES256-SHA CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unverified_recipient, reject_invalid_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous,
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access btree:/etc/postfix/check_sender_access
smtpd_tls_CAfile = /etc/pki/tls/cert.pem
smtpd_tls_CApath = /etc/pki/tls
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mx01.4gjn.com/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/pki/postfix/private/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/pki/postfix/private/dh_1024.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL eNULL EXPORT DES 3DES RC4 MD5 PSK aECDH EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
smtpd_tls_key_file = /etc/pki/tls/private/4gjn.com.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_bytes = 128
tls_ssl_options = NO_COMPRESSION
transport_maps = btree:/etc/postfix/transport, $relay_domains
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 577
virtual_alias_maps = btree:/etc/postfix/virtual_alias


Mehr Informationen über die Mailingliste Postfixbuch-users