mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Hardening TLS ciphers (#492)
* Hardening Dovecot TLS ciphers * Mitigate Logjam vulnerability on Dovecot * Mitigate Logjam vulnerability on Postfix * Add Nmap tests of PCI compliance for Postfix and Dovecot * Increase sleep duration on Makefile steps to avoid races
This commit is contained in:
parent
fed48e646d
commit
d40ae81d09
|
@ -103,6 +103,7 @@ RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail
|
|||
# Configures Postfix
|
||||
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
|
||||
RUN echo "" > /etc/aliases
|
||||
RUN openssl dhparam -out /etc/postfix/dhparams.pem 2048
|
||||
|
||||
# Configuring Logs
|
||||
RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \
|
||||
|
|
4
Makefile
4
Makefile
|
@ -118,7 +118,7 @@ run:
|
|||
-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
|
||||
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
|
||||
-h mail.my-domain.com -t $(NAME)
|
||||
sleep 15
|
||||
sleep 30
|
||||
|
||||
fixtures:
|
||||
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
|
||||
|
@ -142,7 +142,7 @@ fixtures:
|
|||
# postfix virtual transport lmtp
|
||||
docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
|
||||
# Wait for mails to be analyzed
|
||||
sleep 10
|
||||
sleep 20
|
||||
|
||||
tests:
|
||||
# Start tests
|
||||
|
|
|
@ -43,13 +43,13 @@ ssl_key = </etc/dovecot/private/dovecot.pem
|
|||
#ssl_cert_username_field = commonName
|
||||
|
||||
# DH parameters length to use.
|
||||
#ssl_dh_parameters_length = 1024
|
||||
ssl_dh_parameters_length = 2048
|
||||
|
||||
# SSL protocols to use
|
||||
ssl_protocols = !SSLv2 !SSLv3
|
||||
|
||||
# SSL ciphers to use
|
||||
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
|
||||
|
||||
# Prefer the server's order of ciphers over client's.
|
||||
ssl_prefer_server_ciphers = yes
|
||||
|
|
|
@ -33,6 +33,7 @@ smtp_tls_protocols=!SSLv2,!SSLv3
|
|||
smtpd_tls_mandatory_ciphers = high
|
||||
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
|
||||
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
|
||||
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
|
||||
smtpd_tls_CApath = /etc/ssl/certs
|
||||
smtp_tls_CApath = /etc/ssl/certs
|
||||
|
||||
|
|
|
@ -919,8 +919,8 @@ load 'test_helper/bats-assert/load'
|
|||
# Postfix VIRTUAL_TRANSPORT
|
||||
#
|
||||
@test "checking postfix-lmtp: virtual_transport config is set" {
|
||||
run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
|
||||
assert_success
|
||||
run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking postfix-lmtp: delivers mail to existing account" {
|
||||
|
@ -928,3 +928,39 @@ load 'test_helper/bats-assert/load'
|
|||
assert_success
|
||||
assert_output 1
|
||||
}
|
||||
|
||||
#
|
||||
# PCI compliance
|
||||
#
|
||||
|
||||
# dovecot
|
||||
@test "checking dovecot: only A grade TLS ciphers are used" {
|
||||
run docker run --rm -i --link mail:dovecot \
|
||||
--entrypoint sh instrumentisto/nmap -c \
|
||||
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
|
||||
run docker run --rm -i --link mail:dovecot \
|
||||
--entrypoint sh instrumentisto/nmap -c \
|
||||
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
|
||||
assert_success
|
||||
assert_output 0
|
||||
}
|
||||
|
||||
# postfix
|
||||
@test "checking postfix: only A grade TLS ciphers are used" {
|
||||
run docker run --rm -i --link mail:postfix \
|
||||
--entrypoint sh instrumentisto/nmap -c \
|
||||
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" {
|
||||
run docker run --rm -i --link mail:postfix \
|
||||
--entrypoint sh instrumentisto/nmap -c \
|
||||
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
|
||||
assert_success
|
||||
assert_output 0
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue