From 3fc365ae6f74ee9a6d59d9437de34a16838e2a17 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 26 Feb 2023 19:27:58 +0100
Subject: [PATCH] fix(postfix): Upgrade TLS settings to mozilla recommendations

There have been multiple indicators, that the postfix TLS settings are
not ideal therefore this patch aims to imprive the situation.

Reference:
https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=3.0.8&guideline=5.6
---
 images/postfix/Dockerfile     | 10 ++++++++--
 images/postfix/config/main.cf | 35 +++++++++++++----------------------
 2 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/images/postfix/Dockerfile b/images/postfix/Dockerfile
index 8921d45e1..8291e3651 100644
--- a/images/postfix/Dockerfile
+++ b/images/postfix/Dockerfile
@@ -1,7 +1,13 @@
+FROM docker.io/library/alpine:3.17.2 as dhparam
+
+RUN apk add --no-cache openssl
+
+RUN mkdir -p /etc/postfix
+RUN openssl dhparam -out /etc/postfix/postfix_dhparams.pem 2048
+
 FROM docker.io/library/alpine:3.17.2
 
 # Install pre-requirements
-RUN apk update
 RUN apk add --no-cache ca-certificates rsyslog supervisor
 RUN update-ca-certificates
 
@@ -16,7 +22,7 @@ COPY docker/supervisord.conf /etc/
 COPY docker/rsyslog.conf /etc/
 COPY docker/start.sh /usr/local/libexec/start.sh
 RUN chmod +x /usr/local/libexec/start.sh
-
+COPY --from=dhparam --chown=postfix:postfix /etc/postfix/postfix_dhparams.pem /etc/postfix/postfix_dhparams.pem
 #    25: SMTP (Server2Server)
 #   465: SUBMISSIONS (SSL)
 #   587: SMTP (StartTLS)
diff --git a/images/postfix/config/main.cf b/images/postfix/config/main.cf
index 108194c9b..d6605dc05 100644
--- a/images/postfix/config/main.cf
+++ b/images/postfix/config/main.cf
@@ -37,32 +37,23 @@ smtp_tls_loglevel = 1
 smtpd_tls_security_level = may
 smtp_tls_security_level = may
 
+# generated 2023-02-26, Mozilla Guideline v5.6, Postfix 3.4.8, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=intermediate&openssl=1.1.1k&guideline=5.6
 smtpd_tls_auth_only = yes
-tls_ssl_options = NO_COMPRESSION
-
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_protocols = !SSLv2, !SSLv3
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
-lmtp_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
-
-tls_preempt_cipherlist = yes
-smtp_dns_support_level = dnssec
-
-smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
-smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
-smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
-smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, SEED, IDEA, RC2
-
-smtpd_tls_eecdh_grade=ultra
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-#smtpd_tls_dh1024_param_file = /srv/config/tls/dh4096.pem
+lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_ciphers = medium
 
-#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
+tls_ssl_options = NO_COMPRESSION
+
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtpd_tls_dh1024_param_file = /etc/postfix/postfix_dhparams.pem
 
 smtp_tls_policy_maps = lmdb:/srv/tmp/tls-policies
 
-- 
GitLab