On 5/9/23 14:31, Michel Verdier wrote:
dovecot with PAM needs plaintext method. So if postfix disable it they can't share a method.
You have to be careful to require any plaintext client password to travel over a TLS secured connection
smtpd_tls_auth_only = yes
More generally, it's good practice to use preferred ciphers and protocols. This is part of my postfix configuration:
# TLS parameters
tls_random_source = dev:/dev/urandom
smtpd_use_tls = yes smtp_use_tls = yes smtp_tls_note_starttls_offer = yes
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = may smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may smtpd_tls_auth_only = yes
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# From Redhat # Alternat Protocols TLSv1.2 only
smtpd_tls_mandatory_protocols = !SSLv2 smtpd_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_protocols = !SSLv2
# Ciphers # Currently recommended ciphers, excluding DES-based ciphers to avoid SWEET32 attack # and remove SHA1-based ciphers, leaves SHA256 & SHA256 variations
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SHA
smtp_tls_ciphers = high smtpd_tls_ciphers = high
# End from Redhat