pmeerw's blog

Sun, 03 Feb 2019

Various security updates

  1. Enable HTTP Strict Transport Security (HSTS), easy: simply enable Apache headers module, a2enmod headers, and add Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"; yeah, finally A+ on SSL Labs!
  2. Permanent redirect from HTTP to HTTPS using Apache rewrite module:
    RewriteEngine on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
  3. Turn HTTP compression off in Apache: SetEnv no-gzip 1
  4. Enable DANE (RFC 6698) in postfix: check that the DNS resolver on the mail server supports DNSSEC (e.g. use dig and see if the ad flag is present), then set the following in /etc/postfix/
  5. Update postfix cipher suites to disable insecure ciphers in /etc/postfix/
    smtp_tls_ciphers = high
    smtpd_tls_ciphers = high
    smtp_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_exclude_ciphers = aNULL
    smtp_tls_exclude_ciphers = aNULL

posted at: 23:33 | path: /configuration | permanent link

Made with PyBlosxom