From 16cd4f9d2d4b228fe5704b84888c8d9fdecb269c Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Sat, 2 May 2020 00:04:05 +0200
Subject: [PATCH]  Reduce opportunities for a potential CPU exhaustion attack
 with `NO_RENEGOTIATION`

See https://en.wikipedia.org/wiki/Resource_exhaustion_attack
---
 target/postfix/main.cf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index ca8c5226..ec0fd8a4 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -28,7 +28,8 @@ smtp_tls_security_level = may
 smtp_tls_loglevel = 1
 
 # Reduces CPU overhead with `NO_COMPRESSION`, SMTP not at risk of CRIME attack (see git blame for details)
-tls_ssl_options = NO_COMPRESSION
+# Reduce opportunities for a potential CPU exhaustion attack with `NO_RENEGOTIATION`
+tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
 
 tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 tls_preempt_cipherlist = yes