From 240dfbb54a8972e6f25e53994c5b900f19b237e4 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Tue, 17 Sep 2024 16:28:25 +0200
Subject: [PATCH] install_postfix_advanced.sh, install_postfix_base.sh: adjust
 tls parameters of 'main.cf'.

---
 install_postfix_advanced.sh | 133 +++++++++++++++++++++-----------
 install_postfix_base.sh     | 148 +++++++++++++++++++++++-------------
 2 files changed, 185 insertions(+), 96 deletions(-)

diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh
index 9dc03cf..5a8a445 100755
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@@ -1830,64 +1830,109 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 #smtpd_tls_CApath = /etc/postfix/certs
 
 
-# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. 
+# If the list is empty, the server supports all available TLS protocol versions. 
 # 
-# List of TLS protocols that the Postfix SMTP server will exclude or  
-# include with opportunistic TLS encryption.  
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+# default: see 'postconf -d' output
+#
+smtpd_tls_protocols = >=TLSv1.1
+
+# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
+#
+smtpd_tls_mandatory_protocols = >=TLSv1.1
+
+
+# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
+#
+# default: see 'postconf -d' output
+#
+smtp_tls_protocols = >=TLSv1.2
+
+# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. 
 # 
-# The SSL/TLS protocols accepted by the Postfix SMTP server  
-# with mandatory TLS encryption. 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
+# default: see 'postconf -d' output
+#
+smtp_tls_mandatory_protocols = >=TLSv1.2
 
 
-# Disable SSLv2 SSLv3 - Postfix SMTP client 
-#  
-# List of TLS protocols that the Postfix SMTP client will exclude or  
-# include with opportunistic TLS encryption.  
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-# 
-# List of SSL/TLS protocols that the Postfix SMTP client will use  
-# with mandatory TLS encryption 
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+# The Postfix SMTP server security grade for ephemeral elliptic-curve 
+# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this 
+# parameter is always ignored, and Postfix behaves as though the auto value 
+# (described below) was chosen. 
+#
+# auto
+#    Use the most preferred curve that is supported by both the client and the server. 
+#    This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This 
+#    is the default setting under the above conditions (and the only setting used with 
+#    Postfix ≥ 3.6).
+#
+# none
+#    Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the 
+#    default in Postfix versions 2.6 and 2.7.
+#
+# strong
+#    Use EECDH with approximately 128 bits of security at a reasonable computational cost. 
+#    This is the default in Postfix versions 2.8-3.5.
+#
+# ultra
+#    Use EECDH with approximately 192 bits of security at computational cost that is 
+#    approximately twice as high as 128 bit strength ECC.
+#
+smtpd_tls_eecdh_grade = auto
 
 
-## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
-## -    openssl > 1.0
-## -
-smtpd_tls_eecdh_grade = strong
-
-# standard list cryptographic algorithm
+# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead 
+# of the remote client's cipher preference order. 
+#
+# By default, the OpenSSL server selects the client's most preferred cipher that the 
+# server supports. With SSLv3 and later, the server may choose its own most preferred 
+# cipher that is supported (offered) by the client. 
+#
+# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
+#
+# default: no
+#
 tls_preempt_cipherlist = yes
 
-# Disable ciphers which are less than 256-bit:
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory 
+# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit 
+# from globally restricting TLS sessions to a more stringent grade is likely negligible, 
+# especially given the fact that many implementations still do not offer any stronger 
+# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers. 
+# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export" 
+# or "low" ciphers is typically not a good idea, as systems limited to just these are 
+# limited to obsolete browsers. No known SMTP clients fail to support at least one 
+# "medium" or "high" grade cipher. 
 #
-#smtpd_tls_mandatory_ciphers = high
+# default: medium
+#
+#smtpd_tls_mandatory_ciphers = medium
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic 
+# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the 
+# base definition of the selected cipher grade. 
+#
+# default: medium
 #
-# opportunistic
 smtpd_tls_ciphers = high
 
 
-# Exclude ciphers
+# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
+# TLS security levels.
+#
+# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
+# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
+# or one or more "+" separated cipher properties, in which case only ciphers matching all the
+# properties are excluded.
+#
 #smtpd_tls_exclude_ciphers =
-#   RC4
-#   aNULL
-#   SEED-SHA
-#   EXP
-#   MD5
-smtpd_tls_exclude_ciphers =
-   aNULL
-   eNULL
-   EXPORT
-   DES
-   RC4
-   MD5
-   PSK
-   aECDH
-   EDH-DSS-DES-CBC3-SHA
-   EDH-RSA-DES-CDC3-SHA
-   KRB5-DE5
-   CBC3-SHA
+
+# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
+# list at mandatory TLS security levels. This list works in addition to the exclusions listed
+# with smtp_tls_exclude_ciphers
+#
+#smtp_tls_mandatory_exclude_ciphers =
 
 
 smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
diff --git a/install_postfix_base.sh b/install_postfix_base.sh
index cbbc02d..38617d4 100755
--- a/install_postfix_base.sh
+++ b/install_postfix_base.sh
@@ -905,63 +905,107 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 #smtpd_tls_CApath = /etc/postfix/certs
 
 
-# Disable SSLv2 SSLv3 - Postfix SMTP server 
-# 
-# List of TLS protocols that the Postfix SMTP server will exclude or  
-# include with opportunistic TLS encryption.  
-smtpd_tls_protocols = !SSLv2, !SSLv3
-# 
-# The SSL/TLS protocols accepted by the Postfix SMTP server  
-# with mandatory TLS encryption. 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-
-
-# Disable SSLv2 SSLv3 - Postfix SMTP client 
-#  
-# List of TLS protocols that the Postfix SMTP client will exclude or  
-# include with opportunistic TLS encryption.  
-smtp_tls_protocols = !SSLv2, !SSLv3
-# 
-# List of SSL/TLS protocols that the Postfix SMTP client will use  
-# with mandatory TLS encryption 
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
-
-
-## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
-## -    openssl > 1.0
-## -
-smtpd_tls_eecdh_grade = strong
-
-# standard list cryptographic algorithm
-tls_preempt_cipherlist = yes
-
-# Disable ciphers which are less than 256-bit:
+# Disable SSLv2 SSLv3 - Postfix SMTP server
 #
-#smtpd_tls_mandatory_ciphers = high
+# List of TLS protocols that the Postfix SMTP server will exclude or
+# include with opportunistic TLS encryption.
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+
+# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
 #
-# opportunistic
-smtpd_tls_ciphers = high
+#smtpd_tls_protocols = >=TLSv1
+
+# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
+#
+#smtpd_tls_mandatory_protocols = >=TLSv1
+
+# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
+#
+#smtp_tls_protocols = >=TLSv1
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
+#
+smtp_tls_mandatory_protocols = >=TLSv1.2
 
 
-# Exclude ciphers
+# The Postfix SMTP server security grade for ephemeral elliptic-curve
+# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
+# parameter is always ignored, and Postfix behaves as though the auto value
+# (described below) was chosen.
+#
+# auto
+#    Use the most preferred curve that is supported by both the client and the server.
+#    This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
+#    is the default setting under the above conditions (and the only setting used with
+#    Postfix ≥ 3.6).
+#
+# none
+#    Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
+#    default in Postfix versions 2.6 and 2.7.
+#
+# strong
+#    Use EECDH with approximately 128 bits of security at a reasonable computational cost.
+#    This is the default in Postfix versions 2.8-3.5.
+#
+# ultra
+#    Use EECDH with approximately 192 bits of security at computational cost that is
+#    approximately twice as high as 128 bit strength ECC.
+#
+smtpd_tls_eecdh_grade = auto
+
+
+# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
+# of the remote client's cipher preference order.
+#
+# By default, the OpenSSL server selects the client's most preferred cipher that the
+# server supports. With SSLv3 and later, the server may choose its own most preferred
+# cipher that is supported (offered) by the client.
+#
+# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
+#
+# default: no
+#
+#tls_preempt_cipherlist = no
+
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
+# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
+# from globally restricting TLS sessions to a more stringent grade is likely negligible,
+# especially given the fact that many implementations still do not offer any stronger
+# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
+# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
+# or "low" ciphers is typically not a good idea, as systems limited to just these are
+# limited to obsolete browsers. No known SMTP clients fail to support at least one
+# "medium" or "high" grade cipher.
+#
+# default: medium
+#
+#smtpd_tls_mandatory_ciphers = medium
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
+# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
+# base definition of the selected cipher grade.
+#
+# default: medium
+#
+#smtpd_tls_ciphers = medium
+
+
+# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
+# TLS security levels.
+#
+# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
+# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
+# or one or more "+" separated cipher properties, in which case only ciphers matching all the
+# properties are excluded.
+#
 #smtpd_tls_exclude_ciphers =
-#   RC4
-#   aNULL
-#   SEED-SHA
-#   EXP
-#   MD5
-smtpd_tls_exclude_ciphers =
-   aNULL
-   eNULL
-   EXPORT
-   DES
-   RC4
-   MD5
-   PSK
-   aECDH
-   EDH-DSS-DES-CBC3-SHA
-   EDH-RSA-DES-CDC3-SHA
-   KRB5-DE5, CBC3-SHA
+
+# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
+# list at mandatory TLS security levels. This list works in addition to the exclusions listed
+# with smtp_tls_exclude_ciphers
+#
+#smtp_tls_mandatory_exclude_ciphers =
 
 
 smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache