Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update integration test environment to use proper mail server to test 100% mail #1553

Open
mxsasha opened this issue Nov 13, 2024 · 0 comments
Open

Update integration test environment to use proper mail server to test 100% mail #1553

mxsasha opened this issue Nov 13, 2024 · 0 comments
Assignees
@aequitas
Milestone
backlog

Comments

@mxsasha
Copy link
Collaborator

mxsasha commented Nov 13, 2024

Currently we use mailhog, which does not support TLS at all. Migrating to a proper mail server would allow us to test this better in the integration tests.

Recently, I wrote a postfix configuration that meets 100% TLS, even in the new sslyze branch, so documenting it here for when we get to this issue.

compatibility_level = 3.8

tls_high_cipherlist = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA
tls_preempt_cipherlist = yes

smtpd_tls_cert_file=fullchain.pem
smtpd_tls_key_file=privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_auth_only=yes
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_received_header = yes

smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = >=TLSv1.2
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers =
      EXP, LOW, MEDIUM, aNULL, eNULL,
      SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
smtp_tls_mandatory_exclude_ciphers =
      EXP, LOW, MEDIUM, aNULL, eNULL,
      SRP, PSK, kDH, ADH, AECDH, kRSA, DSS, RC4, DES, IDEA, SEED, ARIA, AESCCM8, 3DES, MD5
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
@mxsasha mxsasha added this to the backlog milestone Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aequitas aequitas

Labels
None yet
Milestone
backlog
Development

No branches or pull requests
2 participants
@mxsasha @aequitas