Yes, this is yet another post on my Linux email server that I am using to get off of Google's teat, and of course avoid the NSA's PRISM program.
As a part of setting up my email server I wanted to lock it down well enough that it would pass a Payment Card Industry (PCI) security scan from a PCI authorized auditor like Comodo's Hacker Guardian. My reasoning is that if I can pass a scan that banks and credit card companies use to evaluate their security against hackers, that it's probably the best one can do against the NSA.
I am very familiar with locking down regular websites. After all, it's a part of what I do for my day job. I've even written about how to configure SSL on Apache for PCI compliance, as well as Windows 2008R2 and Windows 2003.
Will with my email server, I also had to configure SSL encryption for SMTP and IMAP using Postfix and Dovecot respectively. It took a while because I didn't see a lot of documentation online on how to do it, but I finally figured it out.
For Postfix (/etc/postfix/main.cf), use these settings for SSL/TLS:
For Dovecot (/etc/dovecot/dovecot.conf) use these settings for SSL/TLS:
![]()
![Enhanced by Zemanta]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
As a part of setting up my email server I wanted to lock it down well enough that it would pass a Payment Card Industry (PCI) security scan from a PCI authorized auditor like Comodo's Hacker Guardian. My reasoning is that if I can pass a scan that banks and credit card companies use to evaluate their security against hackers, that it's probably the best one can do against the NSA.
I am very familiar with locking down regular websites. After all, it's a part of what I do for my day job. I've even written about how to configure SSL on Apache for PCI compliance, as well as Windows 2008R2 and Windows 2003.
Will with my email server, I also had to configure SSL encryption for SMTP and IMAP using Postfix and Dovecot respectively. It took a while because I didn't see a lot of documentation online on how to do it, but I finally figured it out.
For Postfix (/etc/postfix/main.cf), use these settings for SSL/TLS:
smtpd_tls_cert_file = /etc/path/to/public.crt
smtpd_tls_key_file = /etc/path/to/private.key
smtpd_tls_CAfile = /etc/path/to/ca-bundle.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, 3DES, MD5, AES
smtpd_sasl_security_options = noplaintext
For Dovecot (/etc/dovecot/dovecot.conf) use these settings for SSL/TLS:
ssl = requiredThat's it! After I made those settings I was able to pass my PCI scan from Hacker Guardian:
verbose_ssl = no
ssl_cert = </etc/path/to/public.crt
ssl_key = </etc/path/to/private.key
ssl_ca = </etc/path/to/ca-bundle.crt
ssl_cipher_list = HIGH:+TLSv1:+SSLv3:!LOW:!SSLv2:!EXP:!aNULL
That's not the only thing you have to worry about of course. You have to do stuff like hide your PHP version, and Apache version as well, but the SSL stuff is usually the hardest to deal with in PCI.
Did this help you out? If so, let us know in the comments.
