added Postfix Cipher hardening to docs (#775)

* Update u_e-postfix-extra_cf.en.md

Added an example of adding cipher restriction and TLS protocols to current standards.

* restructured files + added german version

* fix removal of extra_cf text

* fixfix: placing of extra.cf notice

---------

Co-authored-by: DerLinkman <[email protected]>

docs/manual-guides/Postfix/u_e-postfix-extra_cf.en.md

@@ -1,6 +1,6 @@
 Please create a new file `data/conf/postfix/extra.cf` for overrides or additional content to `main.cf`.
 
-Postfix will complain about duplicate values once after starting postfix-mailcow, this is intended.
+Postfix will complain about duplicate values once after starting `postfix-mailcow`, this is intended.
 
 Syslog-ng was configured to hide those warnings while Postfix is running, to not spam the log files with unnecessary information every time a service is used.
 
@@ -16,4 +16,4 @@ Restart `postfix-mailcow` to apply your changes:
 
     ``` bash
     docker-compose restart postfix-mailcow
-    ```
+    ```

docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.de.md

@@ -0,0 +1,16 @@
+Wenn Sie die Standard-Cipher und TLS-Versionen, die in Postfix akzeptiert werden, entsprechend der aktuellen Version auf stärkere Einstellungen ändern möchten, können Sie Folgendes zu Postfix [extra.cf](u_e-postfix-extra_cf.de.md) hinzufügen:
+
+```bash
+tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
+tls_preempt_cipherlist = yes
+
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_ciphers = high
+smtp_tls_mandatory_ciphers = high
+
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+```
+
+Eine solche Konfiguration wird die aktuellen (2024-10-21) Konfigurationsprüfungen bei Diensten wie Internet.nl bestehen.

docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.en.md

@@ -0,0 +1,16 @@
+If you want to change the default ciphers and TLS versions accepted in postfix as per it's current release to something stronger, you could add following inside Postfix [extra.cf](u_e-postfix-extra_cf.en.md):
+
+```bash
+tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
+tls_preempt_cipherlist = yes
+
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_ciphers = high
+smtp_tls_mandatory_ciphers = high
+
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+```
+
+Such a configuration will pass current (2024-10-21) configuration checks against services like Internet.nl.

mkdocs.yml

@@ -140,6 +140,7 @@ nav:
       - 'Custom transport maps': 'manual-guides/Postfix/u_e-postfix-custom_transport.md'
       - 'Customize/Expand main.cf': 'manual-guides/Postfix/u_e-postfix-extra_cf.md'
       - 'Disable Sender Addresses Verification': 'manual-guides/Postfix/u_e-postfix-disable_sender_verification.md'
+      - 'Hardening Ciphers': 'manual-guides/Postfix/u_e-postfix-harden_ciphers.md'
       - 'Max. message size (attachment size)': 'manual-guides/Postfix/u_e-postfix-attachment_size.md'
       - 'Relayhosts': 'manual-guides/Postfix/u_e-postfix-relayhost.md'
       - 'Statistics with pflogsumm': 'manual-guides/Postfix/u_e-postfix-pflogsumm.md'
@@ -285,6 +286,7 @@ plugins:
               'Unauthenticated Relaying': 'Unauthentifiziertes Relaying'
               'Custom transport maps': 'Benutzerdefinierte Transportmaps'
               'Customize/Expand main.cf': 'main.cf anpassen/erweitern'
+              'Hardening Ciphers': "Ciphers verstärken"
               'Disable Sender Addresses Verification': 'Überprüfung der Absenderadressen deaktivieren'
               'Max. message size (attachment size)': 'Maximale Nachrichtengröße (Größe des Anhangs)'
               'Statistics with pflogsumm': 'Statistik mit pflogsumm'