restrict the list of ciphers. There are still some steps needed to
enable TLS, all in \verb|main.cf|:
-\begin{lstlisting}[breaklines]
- smtpd_tls_cert_file = /etc/postfix/server.pem
- smtpd_tls_key_file = /etc/postfix/server.key
- smtpd_tls_loglevel = 1
- # enable opportunistic TLS support in the SMTP server and client
- smtpd_tls_security_level = may
- smtp_tls_security_level = may
- smtp_tls_loglevel = 1
- # if you have authentication enabled, only offer it after STARTTLS
- smtpd_tls_auth_only = yes
- tls_ssl_options = NO_COMPRESSION
+\begin{lstlisting}
+smtpd_tls_cert_file = /etc/postfix/server.pem
+smtpd_tls_key_file = /etc/postfix/server.key
++smtpd_tls_loglevel = 1
+# use 0 for Postfix >= 2.9, and 1 for earlier versions
+smtpd_tls_loglevel = 0
+# enable opportunistic TLS support in the SMTP server and client
+smtpd_tls_security_level = may
+smtp_tls_security_level = may
++smtp_tls_loglevel = 1
+# if you have authentication enabled, only offer it after STARTTLS
+smtpd_tls_auth_only = yes
+tls_ssl_options = NO_COMPRESSION
\end{lstlisting}
- \paragraphDiamond{MSA}
-\paragraph*{MSA}\mbox{}\\
-
++\paragraph{MSA:}
For the MSA \verb|smtpd| process, we first define the ciphers that are
acceptable for the ``mandatory'' security level, again in
\verb|main.cf|:
% add any further references or best practice documents here
-%%\item[How to test:]
+%%\subsubsection{How to test}
% describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
-\end{description}
-
-\begin{description}
-\item[Tested with Version:]
-Openswan 2.6.39 (on Gentoo)
-\item[Settings:] \mbox{}
+ % ----------------------------------------------------------------------
+ \subsection{Openswan}
-\begin{lstlisting}[breaklines]
++
++
++\subsubsection{Tested with Version}
++\begin{itemize*}
++ \item Openswan 2.6.39 (Gentoo)
++\end{itemize*}
++
++\subsubsection{Settings}
+ NB: The available algorithms depend on your kernel configuration (when using protostack=netkey) and/or
+ build-time options.
+
+ To list the supported algorithms
-\end{lstlisting}and look for 'algorithm ESP/IKE' at the beginning.
++\begin{lstlisting}
+ $ ipsec auto --status | less
-\begin{lstlisting}[breaklines]
++\end{lstlisting}
++and look for 'algorithm ESP/IKE' at the beginning.
+
-
-
-\item[How to test:]
++\begin{lstlisting}
+ aggrmode=no
+ # ike format: cipher-hash;dhgroup
+ # recommended ciphers:
+ # - aes
+ # recommended hashes:
+ # - sha2_256 with at least 43 byte PSK
+ # - sha2_512 with at least 86 byte PSK
+ # recommended dhgroups:
+ # - modp2048 = DH14
+ # - modp3072 = DH15
+ # - modp4096 = DH16
+ # - modp6144 = DH17
+ # - modp8192 = DH18
+ ike=aes-sha2_256;modp2048
+ type=tunnel
+ phase2=esp
+ # esp format: cipher-hash;dhgroup
+ # recommended ciphers configuration A:
+ # - aes_gcm_c-256 = AES_GCM_16
+ # - aes_ctr-256
+ # - aes_ccm_c-256 = AES_CCM_16
+ # - aes-256
+ # additional ciphers configuration B:
+ # - camellia-256
+ # - aes-128
+ # - camellia-128
+ # recommended hashes configuration A:
+ # - sha2-256
+ # - sha2-384
+ # - sha2-512
+ # - null (only with GCM/CCM ciphers)
+ # additional hashes configuration B:
+ # - sha1
+ # recommended dhgroups: same as above
+ phase2alg=aes_gcm_c-256-sha2_256;modp2048
+ salifetime=8h
+ pfs=yes
+ auto=ignore
+ \end{lstlisting}
+
-\begin{lstlisting}[breaklines]
++\subsubsection{How to test}
+ Start the vpn and using
-\end{lstlisting}and look for 'IKE algorithms wanted/found' and 'ESP algrorithms wanted/loaded'
-
-\item[References:]
-\url{https://www.openswan.org/}
-\end{description}
-
++\begin{lstlisting}
+ $ ipsec auto --status | less
++\end{lstlisting}
++and look for 'IKE algorithms wanted/found' and 'ESP algrorithms wanted/loaded'.
+
++\subsubsection{References}
++\todo{more specific References}
++\begin{itemize*}
++ \item \url{https://www.openswan.org/}
++\end{itemize*}
+
% ----------------------------------------------------------------------
%%\subsection{Juniper VPN}