@esackbauer Thank for your response.
I was actually tweaking this file as I found on this site : https://schroederdennis.de/tipps-tricks/mailcow-smtp-smtpd-tls-1-0-tls1-1-deaktivieren/ but I did not achieve 100% of what I stated in this mail, so I wanted to tinker with settings and see how far I could go before I share what I found with the community.
I didn’t manage to check all cases I stated but I think I went far enough and found most of what I was looking for.
I did achieve PCI DSS green mark with A+ grade on (SMTP) SSL Security Test for ${FQDN}:25 with the following settings in /opt/mailcow-dockerized/data/conf/postfix/extra.cnf :
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
lmtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
lmtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256
smtpd_tls_eecdh_grade = ultra
I may play a bit with cipherlist another day to add more available. Seems a little bit too restrictive even for me.
I did play with tls auth only but Immuniweb still complains. At least it’s not RED and it does not concern PCI DSS so I won’t care much more.
I used these settings in extra.cnf :
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
It also seems that Postfix does not have a way to implement OCSP Stampling so I gave up on that for now. It does not break PCI DSS compliance anyway so why bother.
I use pFsense + (laboratory free licence on a mini PC) and a commercial Netgate Appliance with pFsense + at work.
We tend to try and use Open Source as much as we can and I push my direction to pay for support or donate to these projects as much as I can at my level, so I would actually rather do what I can at home and present a solution which could match my convictions.
I may be a rare case and my impact is small but I try to push Open Source usage where I can, contrary to most companies in France who go Microsoft or Google, or any other commercial solution for ease of use and brain release.