Proxmox Mail Gateway Cipher Suite

[V.E.L]

Hello,

How do I modify cipher suite for proxmox mail gateway?

In zimbra I always did this:

zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES,TLS_ECDH_anon_WITH_AES_256_CBC_SHA'

 

[Stoiko Ivanov]

You could edit the template for /etc/postfix/main.cf (the default template is in /var/lib/pmg/templates/main.cf.in, and you should override it by copying it to /etc/pmg/ and edit it there - check the admin guide https://www.proxmox.com/images/download/pmg/docs/pmg-admin-guide.pdf, and the postfix tls howto http://www.postfix.org/TLS_README.html ).

 

[Access2IT]

Hello,

We are currently setting up a pmg cluster and are trying to meet all the requirements of en.internet.nl

Technical details:
Mail server (MX) First found insecure cipher suite
XXX.XXX.XXX. ADH-AES256-GCM-SHA384
XXX.XXX.XXX. ADH-AES256-GCM-SHA384

pmg still uses unsafe chipher, I changed this a few times in main.cf, but this is overwritten every time by the system to the default.
Does anyone know how to put the chipher on high security?

Thank you in advance

 

[sb-jw]

Does anyone know how to put the chipher on high security?

You could edit the template for /etc/postfix/main.cf (the default template is in /var/lib/pmg/templates/main.cf.in, and you should override it by copying it to /etc/pmg/ and edit it there - check the admin guide https://www.proxmox.com/images/download/pmg/docs/pmg-admin-guide.pdf, and the postfix tls howto http://www.postfix.org/TLS_README.html ).

 

[heutger]

I believe, he is also looking for something like this: #132

Oh, and a) you should read the post with all information in it, b) you should use some more informal tests like hardenize.com or ssllabs.com (last only for websites), c) you should also consider (as well only for websites) observatory.mozilla.org and gtmetrix.com, e.g. DNSSEC is broken by design (as well) but more worse, it's also an threat vector as DNSSEC could be misused to multiple DNS DDoS amplitudes. DANE the same, broken by design and depends on DNSSEC. BREACH attack stated for my website shouldn't work as I have HSTS enabled and be on the preload list, IPv6 for mail server is currently no good idea, as there is less protection against spam with IPv6. I play around also with other broken by design techniques like SPF, DKIM and DMARC on my private test setup, so that are the results currently.

 

[skaag]

I believe, he is also looking for something like this: #132

Oh, and a) you should read the post with all information in it, b) you should use some more informal tests like hardenize.com or ssllabs.com (last only for websites), c) you should also consider (as well only for websites) observatory.mozilla.org and gtmetrix.com, e.g. DNSSEC is broken by design (as well) but more worse, it's also an threat vector as DNSSEC could be misused to multiple DNS DDoS amplitudes. DANE the same, broken by design and depends on DNSSEC. BREACH attack stated for my website shouldn't work as I have HSTS enabled and be on the preload list, IPv6 for mail server is currently no good idea, as there is less protection against spam with IPv6. I play around also with other broken by design techniques like SPF, DKIM and DMARC on my private test setup, so that are the results currently.

This is the best thing I read on the internet this year so far, I'm not even kidding.