[Ach] DFN-CERT publishes recommendations for mail servers

[Sebastian]

Hi,

the german DFN CERT (CERT for academic networks) published (german)
recommendations on transport encryption for mailservers.[1] In the
beginning of the guide they say:
> Die Konfigurationen sind teilweise dem Bettercrypto Projekt entnommen.
Dieses Paper berück-
> sichtigt ebenfalls Erkenntnisse aus BSI TR-03108-1 sowie BSI TR-03116-4.
Translated:
> The configurations are partially taken from the Bettercrypto project.
The paper also
> considers the insights from BSI TR-03108-1 sowie BSI TR-03116-4.
The latter two are recommendations by the german government agency
BSI.[2][3]

The recommended cipher strings for OpenSSL do not differ (suite B).
Their guide does recommend cipher strings for GnuTLS whereas we
explicitly do not (both only for Exim).
Their guide does contain much more information on the setup, which we
did not because it can also be found in the linked documentation of the
projects.
However it contains some useful sections, eg to enforce TLS for a
specific destination.
It also covers DANE/TLSA and its configuration on postfix and exim. We
only refer to it in section "3.8.2. Hardening PKI"

Sebastian

[1]: https://www.dfn-cert.de/aktuell/smtp-transportverschluesselung.html
[2]:
https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03108/index_htm.html
[3]:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03116/BSI-TR-03116-4.html

-- 
python programming - mail server - photo - video - https://sebix.at
cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 854 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20170922/c2d020b9/attachment.sig>