pmeerw's blog

Jun 2022

Mon, 13 Jun 2022

Postfix config, security update

Adjusting postfix config ( to make happy:

  1. Set TLS options to disable compression and renegotiation:
  2. Prefer the server cipher list over the client:
    tls_preempt_cipherlist = yes
  3. Use a big DH key, DH-2048 is insufficient, use a Diffie-Hellman Ephemeral (DHE) key as per RFC7919. Downloadable from here.
    smtpd_tls_dh1024_param_file = /etc/postfix/ffdhe4096.pem

SIDN has a nice article about Hands-on: implementing DANE in Postfix which covers advanced configuration setting for security, not just DANE, but also TLSA, and DKIM, SPF, DMARC.

Configuration regarding RFC7919 for various services (postfix, Apache, PureFTPd, dovecot).

posted at: 21:34 | path: /configuration | permanent link

Sun, 05 Jun 2022

BIND 9.16, dnssec-enable not necessary anymore

/etc/named.conf:21: option 'dnssec-enable' is obsolete and should be removed
Well, it must be removed, otherwise BIND 9.16 does not start anymore (comes with Debian bookworm). See release info.

posted at: 17:49 | path: / | permanent link

Made with PyBlosxom