aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

postfix: require AEAD & ECDHE cipher suites

Browse Source 
This drops ARIA, Camellia and AES-CBC support from TLSv1.2 cipher suites.

When we explicitly restrict the cipherlist in Postfix, then we need to
define TLSv1.3 cipher suites in our OpenSSL config file.
This commit is contained in:
Martin Weinelt
2026-04-24 23:54:25 +02:00
parent 8d6b14c82c
commit 7909eabac2
1 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mail-server/postfix.nix
+17 -8
View File
@@ -399,10 +399,6 @@ in
smtpd_tls_ciphers = "high"; smtpd_tls_ciphers = "high";
smtpd_tls_mandatory_ciphers = "high"; smtpd_tls_mandatory_ciphers = "high";
# Exclude cipher suites with undesirable properties
smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
# Enable DNSSEC/DANE support for outgoing SMTP connections # Enable DNSSEC/DANE support for outgoing SMTP connections
# https://www.postfix.org/postconf.5.html#smtp_tls_security_level # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_dns_support_level = "dnssec"; smtp_dns_support_level = "dnssec";
@@ -416,10 +412,6 @@ in
smtp_tls_ciphers = "high"; smtp_tls_ciphers = "high";
smtp_tls_mandatory_ciphers = "high"; smtp_tls_mandatory_ciphers = "high";
# Exclude ciphersuites with undesirable properties
smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
tls_config_file = tls_config_file =
let let
mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups); mkGroupString = groups: concatStringsSep " / " (map (concatStringsSep ":") groups);
@@ -430,6 +422,13 @@ in
postfix_settings.ssl_conf = "postfix_ssl_settings"; postfix_settings.ssl_conf = "postfix_ssl_settings";
postfix_ssl_settings.system_default = "baseline_postfix_settings"; postfix_ssl_settings.system_default = "baseline_postfix_settings";
baseline_postfix_settings = { baseline_postfix_settings = {
# Allow all TLSv1.3 cipher suites
Ciphersuites = concatStringsSep ":" [
"TLS_AES_256_GCM_SHA384"
"TLS_AES_128_GCM_SHA256"
"TLS_CHACHA20_POLY1305_SHA256"
];
# Full list: openssl list -tls-groups # Full list: openssl list -tls-groups
# Restrict and prioritize the following curves in the given order # Restrict and prioritize the following curves in the given order
# Excludes curves that have no widespread support, so we don't bloat the handshake needlessly. # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
@@ -475,6 +474,16 @@ in
tls_eecdh_auto_curves = [ ]; tls_eecdh_auto_curves = [ ];
tls_ffdhe_auto_groups = [ ]; tls_ffdhe_auto_groups = [ ];
# Require AEAD & ECDHE for TLSv1.2.
tls_high_cipherlist = concatStringsSep ":" [
"ECDHE-ECDSA-AES256-GCM-SHA384"
"ECDHE-RSA-AES256-GCM-SHA384"
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-RSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-RSA-CHACHA20-POLY1305"
];
# As long as all cipher suites are considered safe, let the client use its preferred cipher # As long as all cipher suites are considered safe, let the client use its preferred cipher
tls_preempt_cipherlist = false; tls_preempt_cipherlist = false;