Hardening SSL/TLS

Published on

HTTPS with Apache 2.4.29 /etc/apache2/mods-enabled/ssl.conf SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 #SSLCipherSuite “HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128” SSLCipherSuite “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256” SSLHonorCipherOrder on SSLProtocol TLSv1.2 SSLUseStapling on SSLStaplingCache shmcb:/tmp/stapling_cache(128000) SSLCompression off SSLOpenSSLConfCmd Curves secp384r1 SSLOpenSSLConfCmd DHParameters “/etc/ssl/private/dhparams_4096.pem” SSLLabs Score A+ (4x … Continue reading Hardening SSL/TLS

Create DKIM for Postfix (and ADSP)

Published on

Install opendkim apt-get install opendkim opendkim-tools Config File /etc/opendkim.conf Syslog yes UMask 007 SOCKET inet:12345@localhost PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim SigningTable refile:/etc/opendkim/signing.table KeyTable /etc/opendkim/key.table SignatureAlgorithm rsa-sha256 Keys erstellen cd /etc/opendkim opendkim-genkey -d righter.ch -b 1048 -r -s 201702 mv 201702* keys chown opendkim:opendkim * chmod -R go-rwx . Insert Key in keytable … Continue reading Create DKIM for Postfix (and ADSP)

milter-greylist with Postfix on Debian 8

Published on

Install apt-get install milter-greylist Modify Config /etc/milter-greylist/greylist.conf (only changes listed) # For sendmail use the following two lines #socket “/var/run/milter-greylist/milter-greylist.sock” #user “smmsp” # For Postfix uncomment the following two lines and comment out the # sendmail ones above. socket “/var/spool/postfix/milter-greylist/milter-greylist.sock” 660 user “greylist” geoipdb “/usr/share/GeoIP/GeoIP.dat” #racl whitelist default racl greylist default Change Access mkdir /var/spool/postfix/milter-greylist … Continue reading milter-greylist with Postfix on Debian 8

Implement OLE Filter on Debian 8 / Postfix (Mraptor Milter)

Published on

To avoid this stupid OLE Viruses in Office documents, there is a OLE scanner which you can implement in your postfix http://www.decalage.info/en/python/oletools First you need some apts: apt-get install python-milter python-daemonize Then you need to install the OLE tools: pip install -U https://github.com/decalage2/oletools/archive/master.zip chomd +x /usr/local/lib/python2.7/dist-packages/oletools/mraptor_milter.py /usr/local/lib/python2.7/dist-packages/oletools/mraptor_milter.py Paste this in /etc/crontab for autostart at reboot … Continue reading Implement OLE Filter on Debian 8 / Postfix (Mraptor Milter)

Setup SRS on Postfix on Debian 8

Published on

First install postsrsd: apt-get install postsrsd Add this to Postfix main.cf: # PostSRSd settings. sender_canonical_maps = tcp:localhost:10001 sender_canonical_classes = envelope_sender recipient_canonical_maps = tcp:localhost:10002 recipient_canonical_classes= envelope_recipient,header_recipient and reload: postfix reload

Dane based on existing Postfix, Letsencrypt and DNSSEC

Published on

To activate it use following in the postfix main.cf: smtp_tls_security_level=dane smtp_dns_support_level = dnssec smtpd_use_tls=yes Now create the TLSA hash and generate a TLSA DNS Record: printf ‘%s’ $(openssl x509 -in fullchain.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve ‘/1 “%02x”‘) push to DNS: _25._tcp.mail INTLSA 3600 … Continue reading Dane based on existing Postfix, Letsencrypt and DNSSEC

Test vServer 2: Cloudscale

Published on

So hier mal die Resultate von Cloudscale CPU: Sieht aus olb ob hier die älteren v2 verbaut sind jedoch mit höherem Basistakt. Bei Benchmarks waren Cloudscale schneller als Hosttech oder evtl auch einfach weniger ausgelastet 🙂 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) … Continue reading Test vServer 2: Cloudscale