From 4ea5f9c8e83e05d5be3c0dc2d4b7d63226e978bf Mon Sep 17 00:00:00 2001
From: Joris Le Blansch <jleblansch@gmail.com>
Date: Tue, 22 Oct 2024 10:40:16 +0200
Subject: [PATCH] added Postfix Cipher hardening to docs (#775)

* Update u_e-postfix-extra_cf.en.md

Added an example of adding cipher restriction and TLS protocols to current standards.

* restructured files + added german version

* fix removal of extra_cf text

* fixfix: placing of extra.cf notice

---------

Co-authored-by: DerLinkman <niklas.meyer@servercow.de>
---
 .../Postfix/u_e-postfix-extra_cf.en.md           |  4 ++--
 .../Postfix/u_e-postfix-harden_ciphers.de.md     | 16 ++++++++++++++++
 .../Postfix/u_e-postfix-harden_ciphers.en.md     | 16 ++++++++++++++++
 mkdocs.yml                                       |  2 ++
 4 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.de.md
 create mode 100644 docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.en.md

diff --git a/docs/manual-guides/Postfix/u_e-postfix-extra_cf.en.md b/docs/manual-guides/Postfix/u_e-postfix-extra_cf.en.md
index f0b4a28b6c..260e0a8d72 100644
--- a/docs/manual-guides/Postfix/u_e-postfix-extra_cf.en.md
+++ b/docs/manual-guides/Postfix/u_e-postfix-extra_cf.en.md
@@ -1,6 +1,6 @@
 Please create a new file `data/conf/postfix/extra.cf` for overrides or additional content to `main.cf`.
 
-Postfix will complain about duplicate values once after starting postfix-mailcow, this is intended.
+Postfix will complain about duplicate values once after starting `postfix-mailcow`, this is intended.
 
 Syslog-ng was configured to hide those warnings while Postfix is running, to not spam the log files with unnecessary information every time a service is used.
 
@@ -16,4 +16,4 @@ Restart `postfix-mailcow` to apply your changes:
 
     ``` bash
     docker-compose restart postfix-mailcow
-    ```
+    ```
\ No newline at end of file
diff --git a/docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.de.md b/docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.de.md
new file mode 100644
index 0000000000..e70e2e1ed2
--- /dev/null
+++ b/docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.de.md
@@ -0,0 +1,16 @@
+Wenn Sie die Standard-Cipher und TLS-Versionen, die in Postfix akzeptiert werden, entsprechend der aktuellen Version auf stärkere Einstellungen ändern möchten, können Sie Folgendes zu Postfix [extra.cf](u_e-postfix-extra_cf.de.md) hinzufügen:
+
+```bash
+tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
+tls_preempt_cipherlist = yes
+
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_ciphers = high
+smtp_tls_mandatory_ciphers = high
+
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+```
+
+Eine solche Konfiguration wird die aktuellen (2024-10-21) Konfigurationsprüfungen bei Diensten wie Internet.nl bestehen.
\ No newline at end of file
diff --git a/docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.en.md b/docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.en.md
new file mode 100644
index 0000000000..1e2db5776d
--- /dev/null
+++ b/docs/manual-guides/Postfix/u_e-postfix-harden_ciphers.en.md
@@ -0,0 +1,16 @@
+If you want to change the default ciphers and TLS versions accepted in postfix as per it's current release to something stronger, you could add following inside Postfix [extra.cf](u_e-postfix-extra_cf.en.md):
+
+```bash
+tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
+tls_preempt_cipherlist = yes
+
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_ciphers = high
+smtp_tls_mandatory_ciphers = high
+
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+```
+
+Such a configuration will pass current (2024-10-21) configuration checks against services like Internet.nl.
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index ad10ef5f57..2397471675 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -140,6 +140,7 @@ nav:
       - 'Custom transport maps': 'manual-guides/Postfix/u_e-postfix-custom_transport.md'
       - 'Customize/Expand main.cf': 'manual-guides/Postfix/u_e-postfix-extra_cf.md'
       - 'Disable Sender Addresses Verification': 'manual-guides/Postfix/u_e-postfix-disable_sender_verification.md'
+      - 'Hardening Ciphers': 'manual-guides/Postfix/u_e-postfix-harden_ciphers.md'
       - 'Max. message size (attachment size)': 'manual-guides/Postfix/u_e-postfix-attachment_size.md'
       - 'Relayhosts': 'manual-guides/Postfix/u_e-postfix-relayhost.md'
       - 'Statistics with pflogsumm': 'manual-guides/Postfix/u_e-postfix-pflogsumm.md'
@@ -285,6 +286,7 @@ plugins:
               'Unauthenticated Relaying': 'Unauthentifiziertes Relaying'
               'Custom transport maps': 'Benutzerdefinierte Transportmaps'
               'Customize/Expand main.cf': 'main.cf anpassen/erweitern'
+              'Hardening Ciphers': "Ciphers verstärken"
               'Disable Sender Addresses Verification': 'Überprüfung der Absenderadressen deaktivieren'
               'Max. message size (attachment size)': 'Maximale Nachrichtengröße (Größe des Anhangs)'
               'Statistics with pflogsumm': 'Statistik mit pflogsumm'