mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Hardening TLS ciphers (#492)
* Hardening Dovecot TLS ciphers * Mitigate Logjam vulnerability on Dovecot * Mitigate Logjam vulnerability on Postfix * Add Nmap tests of PCI compliance for Postfix and Dovecot * Increase sleep duration on Makefile steps to avoid races
This commit is contained in:
parent
fed48e646d
commit
d40ae81d09
|
@ -103,6 +103,7 @@ RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail
|
||||||
# Configures Postfix
|
# Configures Postfix
|
||||||
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
|
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
|
||||||
RUN echo "" > /etc/aliases
|
RUN echo "" > /etc/aliases
|
||||||
|
RUN openssl dhparam -out /etc/postfix/dhparams.pem 2048
|
||||||
|
|
||||||
# Configuring Logs
|
# Configuring Logs
|
||||||
RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \
|
RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \
|
||||||
|
|
4
Makefile
4
Makefile
|
@ -118,7 +118,7 @@ run:
|
||||||
-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
|
-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
|
||||||
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
|
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
|
||||||
-h mail.my-domain.com -t $(NAME)
|
-h mail.my-domain.com -t $(NAME)
|
||||||
sleep 15
|
sleep 30
|
||||||
|
|
||||||
fixtures:
|
fixtures:
|
||||||
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
|
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
|
||||||
|
@ -142,7 +142,7 @@ fixtures:
|
||||||
# postfix virtual transport lmtp
|
# postfix virtual transport lmtp
|
||||||
docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
|
docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
|
||||||
# Wait for mails to be analyzed
|
# Wait for mails to be analyzed
|
||||||
sleep 10
|
sleep 20
|
||||||
|
|
||||||
tests:
|
tests:
|
||||||
# Start tests
|
# Start tests
|
||||||
|
|
|
@ -43,13 +43,13 @@ ssl_key = </etc/dovecot/private/dovecot.pem
|
||||||
#ssl_cert_username_field = commonName
|
#ssl_cert_username_field = commonName
|
||||||
|
|
||||||
# DH parameters length to use.
|
# DH parameters length to use.
|
||||||
#ssl_dh_parameters_length = 1024
|
ssl_dh_parameters_length = 2048
|
||||||
|
|
||||||
# SSL protocols to use
|
# SSL protocols to use
|
||||||
ssl_protocols = !SSLv2 !SSLv3
|
ssl_protocols = !SSLv2 !SSLv3
|
||||||
|
|
||||||
# SSL ciphers to use
|
# SSL ciphers to use
|
||||||
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
|
||||||
|
|
||||||
# Prefer the server's order of ciphers over client's.
|
# Prefer the server's order of ciphers over client's.
|
||||||
ssl_prefer_server_ciphers = yes
|
ssl_prefer_server_ciphers = yes
|
||||||
|
|
|
@ -33,6 +33,7 @@ smtp_tls_protocols=!SSLv2,!SSLv3
|
||||||
smtpd_tls_mandatory_ciphers = high
|
smtpd_tls_mandatory_ciphers = high
|
||||||
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
|
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
|
||||||
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
||||||
|
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
|
||||||
smtpd_tls_CApath = /etc/ssl/certs
|
smtpd_tls_CApath = /etc/ssl/certs
|
||||||
smtp_tls_CApath = /etc/ssl/certs
|
smtp_tls_CApath = /etc/ssl/certs
|
||||||
|
|
||||||
|
|
|
@ -928,3 +928,39 @@ load 'test_helper/bats-assert/load'
|
||||||
assert_success
|
assert_success
|
||||||
assert_output 1
|
assert_output 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# PCI compliance
|
||||||
|
#
|
||||||
|
|
||||||
|
# dovecot
|
||||||
|
@test "checking dovecot: only A grade TLS ciphers are used" {
|
||||||
|
run docker run --rm -i --link mail:dovecot \
|
||||||
|
--entrypoint sh instrumentisto/nmap -c \
|
||||||
|
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
|
||||||
|
assert_success
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
|
||||||
|
run docker run --rm -i --link mail:dovecot \
|
||||||
|
--entrypoint sh instrumentisto/nmap -c \
|
||||||
|
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
|
||||||
|
assert_success
|
||||||
|
assert_output 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# postfix
|
||||||
|
@test "checking postfix: only A grade TLS ciphers are used" {
|
||||||
|
run docker run --rm -i --link mail:postfix \
|
||||||
|
--entrypoint sh instrumentisto/nmap -c \
|
||||||
|
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
|
||||||
|
assert_success
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" {
|
||||||
|
run docker run --rm -i --link mail:postfix \
|
||||||
|
--entrypoint sh instrumentisto/nmap -c \
|
||||||
|
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
|
||||||
|
assert_success
|
||||||
|
assert_output 0
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue