pmeerw's blog

03 Feb 2019

Sun, 03 Feb 2019

Security checkup for web and email: has a nice & tidy check for IPv6, TLS, HTTPS, DNSSEC, DANE (DNS-based Authentication of Named Entities), DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework) on web and mail servers.

See the results for web and email.

posted at: 23:44 | path: /configuration | permanent link

Various security updates

  1. Enable HTTP Strict Transport Security (HSTS), easy: simply enable Apache headers module, a2enmod headers, and add Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"; yeah, finally A+ on SSL Labs!
  2. Permanent redirect from HTTP to HTTPS using Apache rewrite module:
    RewriteEngine on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
  3. Turn HTTP compression off in Apache: SetEnv no-gzip 1
  4. Enable DANE (RFC 6698) in postfix: check that the DNS resolver on the mail server supports DNSSEC (e.g. use dig and see if the ad flag is present), then set the following in /etc/postfix/
  5. Update postfix cipher suites to disable insecure ciphers in /etc/postfix/
    smtp_tls_ciphers = high
    smtpd_tls_ciphers = high
    smtp_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_exclude_ciphers = aNULL
    smtp_tls_exclude_ciphers = aNULL

posted at: 23:33 | path: /configuration | permanent link

Made with PyBlosxom