Adjusting postfix config (main.cf) to make internet.nl happy:

1. Set TLS options to disable compression and renegotiation:

   tls_ssl_options = NO_COMPRESSION,NO_RENEGOTIATION
   

2. Prefer the server cipher list over the client:

   tls_preempt_cipherlist = yes
   

3. Use a big DH key, DH-2048 is insufficient, use a Diffie-Hellman Ephemeral (DHE) key as per RFC7919. Downloadable from here.

   smtpd_tls_dh1024_param_file = /etc/postfix/ffdhe4096.pem
   

SIDN has a nice article about Hands-on: implementing DANE in Postfix which covers advanced configuration setting for security, not just DANE, but also TLSA, and DKIM, SPF, DMARC.

Configuration regarding RFC7919 for various services (postfix, Apache, PureFTPd, dovecot).

posted at: 21:34 | path: /configuration | permanent link

/etc/named.conf:21: option 'dnssec-enable' is obsolete and should be removed

Well, it must be removed, otherwise BIND 9.16 does not start anymore (comes with Debian bookworm). See release info.

posted at: 17:49 | path: / | permanent link