internet.nl has a nice & tidy check for IPv6, TLS, HTTPS, DNSSEC, DANE (DNS-based Authentication of Named Entities), DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework) on web and mail servers.

See the results for pmeerw.net: web and email.

posted at: 23:44 | path: /configuration | permanent link

1. Enable HTTP Strict Transport Security (HSTS), easy: simply enable Apache headers module, a2enmod headers, and add Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"; yeah, finally A+ on SSL Labs!
2. Permanent redirect from HTTP to HTTPS using Apache rewrite module:

   RewriteEngine on
   RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]

3. Turn HTTP compression off in Apache: SetEnv no-gzip 1
4. Enable DANE (RFC 6698) in postfix: check that the DNS resolver on the mail server supports DNSSEC (e.g. use dig and see if the ad flag is present), then set the following in /etc/postfix/main.cf

   smtp_dns_support_level=dnssec 
   smtp_host_lookup=dns 
   smtp_tls_security_level=dane 
   smtp_tls_loglevel=1 
   

5. Update postfix cipher suites to disable insecure ciphers in /etc/postfix/main.cf:

   smtp_tls_ciphers = high
   smtpd_tls_ciphers = high
   smtp_tls_mandatory_ciphers = high
   smtpd_tls_mandatory_ciphers = high
   smtpd_tls_exclude_ciphers = aNULL
   smtp_tls_exclude_ciphers = aNULL
   

posted at: 23:33 | path: /configuration | permanent link