Univention Bugzilla – Bug 35924
Check if perfect forward secrecy is enabled
Last modified: 2023-03-25 06:44:18 CET
A test should be implemented that tests if TLS and PFS is enabled and working properly. Sending mails and receiving mails should be tested! +++ This bug was initially created as a clone of Bug #35923 +++ We should enable Perfect Forward Secrecy: * Execute the following commands during installation of univention-mail-postfix: $ openssl gendh -out /etc/postfix/dh_512.pem -2 512 $ openssl gendh -out /etc/postfix/dh_1024.pem -2 1024 $ openssl gendh -out /etc/postfix/dh_2048.pem -2 2048 And the new config options: smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem This enables EDH in postfix. * smtpd_tls_eecdh_grade = strong Currently the builtin default value "none" is used which disables ciphers based on EECDH key exchange. * tls_preempt_cipherlist = yes Is currently ignored in UCS 3.x (postfix 2.7) but used in UCS 4. It should also be set. * smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 Raise TLS loglevel from 0 to 1. Please recheck also for missing options: http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
r57392: * Bug #35924: 40_mail/00check_forward_secrecy: check if Perfect Forward Secrecy is enabled. The test greps the output of openssl s_client as in the Bug #35923.
r57394: * Bug #35924: 40_mail/00delivery00basic: added delivery test case with tls.
For this bug is no separate QA needed.