Virtualmin and PFS

I am thinking about setting up Postfix and Dovecot for PFS, do you see any issues with virtualmin then? As long as i enable the SSL Certs for the Mailservers as well? Or is there any pitfall to avoid in the first place? Don’t want to screw everything up, while it is working perfectly :slight_smile:

Thank you and Best j_m

Howdy,

Hmm, I’m not familiar with PFS. Can you describe how that setup might work?

-Eric

you need Postfix greater 2.6 (best 2.8 or up) and openssl greater 0.9 better 1.0 or up.

You need to create two Diffie Hellman Keys and put them in maincf:

openssl gendh -out /etc/postfix/dh_512.pem -2 512

openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

postconf -e “smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem”

postconf -e “smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem”

postconf -e “smtpd_tls_eecdh_grade = strong”

postconf -e “tls_preempt_cipherlist = yes”

postconf -e “smtpd_tls_loglevel = 1”

postconf -e “smtp_tls_loglevel = 1”

postfix reload

tls_preempt will only be executed from Postfix 2.8 or up, the older versions will ignore this setting.

Dovecot should be 2.1, better 2.2.x

Dovecot uses PFS, but it is not being found in logfiles. Therefore /etc/dovecot/conf.d/10-logging.conf has to be changed into:

login_log_format_elements = “user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k”

Now test the setup:

openssl s_client -starttls smtp -connect mail.example.com:25

openssl s_client -starttls imap -connect imap.example.com:143

EDIT: Here use your own mailserveradress for testing instead of example.com

The output should read something like this:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

So they say, but didn’t try it yet.

Bump :slight_smile:

Summary

@andreychek :slight_smile: “Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.”

Detail

Test

This free software allows you to test if your SSL certificate presently installed on a domain name supports PFS at https://www.ssllabs.com/ssltest/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.