nextcloud

Postfix with TLS v. 1.2 only

nextcloud-square-logoIf you are already running your server using let’s encrypt certificates you should increase postfix’s security by using TLS v.1.2.

Just change one file (/etc/postfix/main.cf) and your are a bit more secure while sending servermails. Let’s start…modify your postfix configuration:

sudo -s
vi /etc/postfix/main.cf

Change your config-file to:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = your.dedyn.io
mydomain = your.dedyn.io
myorigin = $mydomain
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_received_header = yes
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_use_tls=yes
smtp_use_tls=yes
smtpd_tls_protocols = TLSv1.2, !TLSv1.1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, !TLSv1.1, !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
smtpd_tls_cert_file = /etc/letsencrypt/live/your.dedyn.io/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/your.dedyn.io/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/your.dedyn.io/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/your.dedyn.io/privkey.pem
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, your.dedyn.io, localhost.localdomain, localhost
relayhost = w123456.kasserver.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
sender_canonical_maps = hash:/etc/postfix/sender_canonical
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
compatibility_level=2

We are using an all-inkl.com mailserver, please substitute all red entries and your mailserver settings having regards to your environment and mentioned in the Nextcloud configuration guide.

Restart postfix:

service postfix restart

Send a testmail using a new created dummy file (testmail):

vi ~/testmail

Paste any characters to that file:

TLS v. 1.2 Testmail

Save and quit the file (:wq!) and send a new encrypted testmail:

mail -s "tlsv1.2-test" your@mail.com < ~/testmail

Verify the mail.log in </var/log> with regards to your previous sent mail.

cat /var/log/mail.log

Your output should look like

...
Nov  5 11:32:53 odroid64 postfix/pickup[12959]: A0C596159B: uid=0 from=<root@odroid64> 
Nov  5 11:32:53 odroid64 postfix/cleanup[12964]: A0C596159B: message-id=<2016...@...de> 
Nov  5 11:32:53 odroid64 postfix/qmgr[12960]: A0C596159B: from=<...@....de>, size=348, nrcpt=1 (queue active) 
Nov  5 11:32:54 odroid64 postfix/smtp[12966]: Trusted TLS connection established to w123456.kasserver.com[ip.ip.ip.ip]:587: 
                                              TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 
Nov  5 11:32:54 odroid64 postfix/smtp[12966]: A0C596159B: to=<...@....de>, relay=w123456.kasserver.com[ip.ip.ip.ip]:587, delay=0.65, delays=0.03/0.04/0.4/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 30F7F580063) 
Nov  5 11:32:54 odroid64 postfix/qmgr[12960]: A0C596159B: removed
...

Enjoy your Nextcloud.