From August 19th 2020, SECTIGO issues SSL certificates with a maximum lifetime of 398 days (13 months) as specified by CA/Browser consortium. SSL certificates with a longer lifetime must be re-issued annually (free of charge). You'll receive reminders via e-mail. SSL certificates issued before August 19th 2020 remain valid until their planned expiry date. Code Signing & S/MIME certificates are not affected and remain valid until their planned expiry date.

Postfix TLS 1.3 and Perfect Forward Secrecy configuration

Settings for /etc/postfix/main.cf:

# TLS parameters
smtpd_tls_cert_file = /home/frank/ssl/myssl.crt
smtpd_tls_key_file = /home/frank/ssl/myssl.key
smtpd_tls_CAfile = /home/frank/ssl/myssl.ca_bundle
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level=may
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW
smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
# Preferred syntax with Postfix ≥ 2.5:
smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
tls_preempt_cipherlist = yes

You can check your configuration using hardenize.com.


Was this answer helpful?

 Print this Article

Also Read

Check SSL security, installation and configuration

Feel free to use the collection of SSL tools we are providing to check your SSL configuration and...

Does InterSSL deliver SSL certificates for ECC (Elliptic Curve Cryptography) and ECDSA ?

Yes, all SSL certificates from COMODO also support ECC (Elliptic Curve Cryptography), to be more...

Decrypting SSL traffic with tshark (private key required)

Sample: #!/bin/bash tshark -f "tcp port 80" -Y 'http.request || http.response' #OR (for...

How can i verify my SSL certification?

Please use the tools from our SSL Tools site which offer you all kinds of SSL checker tools for...

BSI legt Grundstein für Prüfungen gemäß IT-Sicherheitsgesetz

Betreiber kritischer Infrastruktur müssen sich zukünftig regelmäßig prüfen lassen und dabei...