Postfix TLS 1.3 and Perfect Forward Secrecy configuration

Settings for /etc/postfix/main.cf:

# TLS parameters
smtpd_tls_cert_file = /home/frank/ssl/myssl.crt
smtpd_tls_key_file = /home/frank/ssl/myssl.key
smtpd_tls_CAfile = /home/frank/ssl/myssl.ca_bundle
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level=may
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW
smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
# Preferred syntax with Postfix ≥ 2.5:
smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
tls_preempt_cipherlist = yes

You can check your configuration using hardenize.com.


Was this answer helpful?

 Print this Article

Also Read

Decrypting SSL traffic with tshark (private key required)

Sample: #!/bin/bash tshark -f "tcp port 80" -Y 'http.request || http.response' #OR (for...

Check SSL security, installation and configuration

Feel free to use the collection of SSL tools we are providing to check your SSL configuration and...

How can i verify my SSL certification?

Please use the tools from our SSL Tools site which offer you all kinds of SSL checker tools for...

Why SHA-1 based SSL certificates should NOT be used anymore. Revoke old SHA-1 based certificates and get free SHA-2 ones! Here is why ...

All SSL certificates delivered by us are SHA-2 based by default since November 2014. Multiple...

BSI legt Grundstein für Prüfungen gemäß IT-Sicherheitsgesetz

Betreiber kritischer Infrastruktur müssen sich zukünftig regelmäßig prüfen lassen und dabei...