From c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 26 Apr 2016 14:56:24 +0200 Subject: ssl params postfix --- ymir.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ymir.nix b/ymir.nix index 1f3a45db..773b5a71 100644 --- a/ymir.nix +++ b/ymir.nix @@ -301,6 +301,30 @@ in rec { destination = ["yggdrasil.li" "ymir.yggdrasil.li" "praseodym.org" "ymir.praseodym.org" "141.li" "ymir.141.li" "xmpp.li" "ymir.xmpp.li" "dirty-haskell.org" "explainuxul.de" "www.explainuxul.de" "lmu.li" "www.lmu.li" "localhost.yggdrasil.li" "localhost"]; sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; sslKey = "/var/lib/acme/yggdrasil.li/key.pem"; + extraConfig = '' + #the dh params + smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem + smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem + #enable ECDH + smtpd_tls_eecdh_grade = strong + #enabled SSL protocols, don't allow SSLv2 and SSLv3 + smtpd_tls_protocols= !SSLv2, !SSLv3 + smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3 + #allowed ciphers for smtpd_tls_security_level=encrypt + smtpd_tls_mandatory_ciphers = high + #allowed ciphers for smtpd_tls_security_level=may + #smtpd_tls_ciphers = high + #enforce the server cipher preference + tls_preempt_cipherlist = yes + #disable following ciphers for smtpd_tls_security_level=encrypt + smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL + #disable following ciphers for smtpd_tls_security_level=may + #smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL + #enable TLS logging to see the ciphers for inbound connections + smtpd_tls_loglevel = 1 + #enable TLS logging to see the ciphers for outbound connections + smtp_tls_loglevel = 1 + ''; }; security.acme = { -- cgit v1.2.3