10:00 AM
Paul B
Yes, this is yet another post on my Linux email server that I am using to get off of Google's teat, and of course avoid the NSA's PRISM program.
As a part of setting up my email server I wanted to lock it down well enough that it would pass a Payment Card Industry (PCI) security scan from a PCI authorized auditor like Comodo's Hacker Guardian. My reasoning is that if I can pass a scan that banks and credit card companies use to evaluate their security against hackers, that it's probably the best one can do against the NSA.
I am very familiar with locking down regular websites. After all, it's a part of what I do for my day job. I've even written about how to configure SSL on Apache for PCI compliance, as well as Windows 2008R2 and Windows 2003.
Will with my email server, I also had to configure SSL encryption for SMTP and IMAP using Postfix and Dovecot respectively. It took a while because I didn't see a lot of documentation online on how to do it, but I finally figured it out.
For Postfix (/etc/postfix/main.cf), use these settings for SSL/TLS:
smtpd_tls_cert_file = /etc/path/to/public.crt
smtpd_tls_key_file = /etc/path/to/private.key
smtpd_tls_CAfile = /etc/path/to/ca-bundle.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, 3DES, MD5, AES
smtpd_sasl_security_options = noplaintext
For Dovecot (/etc/dovecot/dovecot.conf) use these settings for SSL/TLS:
ssl = requiredThat's it! After I made those settings I was able to pass my PCI scan from Hacker Guardian:
verbose_ssl = no
ssl_cert = </etc/path/to/public.crt
ssl_key = </etc/path/to/private.key
ssl_ca = </etc/path/to/ca-bundle.crt
ssl_cipher_list = HIGH:+TLSv1:+SSLv3:!LOW:!SSLv2:!EXP:!aNULL
