Virtualmin and PFS

4 posts / 0 new
Topic locked
Last post
#1 Sat, 11/01/2014 - 03:18
just_me

Virtualmin and PFS

I am thinking about setting up Postfix and Dovecot for PFS, do you see any issues with virtualmin then? As long as i enable the SSL Certs for the Mailservers as well? Or is there any pitfall to avoid in the first place? Don't want to screw everything up, while it is working perfectly :-)

Thank you and Best j_m

Sat, 11/01/2014 - 13:20
andreychek

Howdy,

Hmm, I'm not familiar with PFS. Can you describe how that setup might work?

-Eric

Mon, 11/03/2014 - 02:26
just_me

you need Postfix greater 2.6 (best 2.8 or up) and openssl greater 0.9 better 1.0 or up.

You need to create two Diffie Hellman Keys and put them in maincf:

openssl gendh -out /etc/postfix/dh_512.pem -2 512

openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

postconf -e "smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem"

postconf -e "smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem"

postconf -e "smtpd_tls_eecdh_grade = strong"

postconf -e "tls_preempt_cipherlist = yes"

postconf -e "smtpd_tls_loglevel = 1"

postconf -e "smtp_tls_loglevel = 1"

postfix reload

tls_preempt will only be executed from Postfix 2.8 or up, the older versions will ignore this setting.

Dovecot should be 2.1, better 2.2.x

Dovecot uses PFS, but it is not being found in logfiles. Therefore /etc/dovecot/conf.d/10-logging.conf has to be changed into:

login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"

Now test the setup:

openssl s_client -starttls smtp -connect mail.example.com:25

openssl s_client -starttls imap -connect imap.example.com:143

EDIT: Here use your own mailserveradress for testing instead of example.com

The output should read something like this:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

So they say, but didn't try it yet.

Mon, 11/10/2014 - 08:46
just_me

Bump :-)

Topic locked