ssl params postfix

1 files changed, 24 insertions, 0 deletions

diff --git a/ymir.nix b/ymir.nix
index 1f3a45db..773b5a71 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -301,6 +301,30 @@ in rec {
     destination = ["yggdrasil.li" "ymir.yggdrasil.li" "praseodym.org" "ymir.praseodym.org" "141.li" "ymir.141.li" "xmpp.li" "ymir.xmpp.li" "dirty-haskell.org" "explainuxul.de" "www.explainuxul.de" "lmu.li" "www.lmu.li" "localhost.yggdrasil.li" "localhost"];
     sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
     sslKey = "/var/lib/acme/yggdrasil.li/key.pem";
+    extraConfig = ''
+      #the dh params
+      smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
+      smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem
+      #enable ECDH
+      smtpd_tls_eecdh_grade = strong
+      #enabled SSL protocols, don't allow SSLv2 and SSLv3
+      smtpd_tls_protocols= !SSLv2, !SSLv3
+      smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3
+      #allowed ciphers for smtpd_tls_security_level=encrypt
+      smtpd_tls_mandatory_ciphers = high
+      #allowed ciphers for smtpd_tls_security_level=may
+      #smtpd_tls_ciphers = high
+      #enforce the server cipher preference
+      tls_preempt_cipherlist = yes
+      #disable following ciphers for smtpd_tls_security_level=encrypt
+      smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
+      #disable following ciphers for smtpd_tls_security_level=may
+      #smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
+      #enable TLS logging to see the ciphers for inbound connections
+      smtpd_tls_loglevel = 1
+      #enable TLS logging to see the ciphers for outbound connections
+      smtp_tls_loglevel = 1
+    '';
   };
 
   security.acme = {