Hello there.

I’m trying Mailcow self hosted at home in France for testing purposes (at least for now).
I’m also using this as a base to see if we can replace our Exchange 365 solution by a hosted one that is easy to manage, safe and reliable, but that’s a story for another time since if my tests are successfull, I will make sure my compagny gets enterprise support since it’s fairly reasonably priced.

I managed to set everything and working pretty good for now but I’m trying to see if I can reach PCI DSS / HIPAA / NIST level at immuniweb.com Icon Email Security Test | ImmuniWeb

immuniweb.com Icon immuniweb.com
Email Security Test | ImmuniWeb
Check your email server security, encryption, DNS misconfigurations, and more
immuniweb.com
as I’m able to with our Exchange Online solution.

I read all the doc I could read, searched this community forum and git repository for solutions but I did not find one that seems to be working for these elements for which immuniweb does not seem to be happy about :

  1. SMTP AUTHENTICATION : Plain authentication without TLS available
  2. ${FQDN}:25 (SMTP) SSL Security Test : The server has TLS 1.0 enabled. It is non-compliant with NIST since SP 800-52 REV. 2 and non-compliant with PCI DSS since the 30th of June 2018.
  3. ${FQDN}:25 (SMTP) SSL Security Test => SERVER DOES NOT SUPPORT OCSP STAPLING : The server is not configured to support OCSP stapling for its RSA certificate that allows better verification of the certificate validation status. Reconfigure or upgrade your web server to enable OCSP stapling.
  4. ${FQDN}:25 (SMTP) SSL Security Test => Non compliant cipher suites : Example : TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA or TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

I searched every place in data/config and Mailcow UI to find where I could change these parameters but I can’t find a way to disable these warnings on immuniweb analysis.

Does someone have some hints as to where I could change this ?

Greetings.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

As it’s said in the docs: docs.mailcow.email Icon “Unauthenticated mail via SMTP on port 25/tcp does still accept >= TLS 1.0 . It is better to accept a weak encryption than none at all.”

docs.mailcow.email Icon docs.mailcow.email
Re-enable TLS 1.0 and TLS 1.1 - mailcow: dockerized documentation
None
docs.mailcow.email

The fact that weak TLS algorithms are active can, of course, trigger other SSL warnings. That’s why it’s important to not just run those online tests, but also to understand and classify these results.

Thanks for your response.

I’m not discussing default settings or the way mailcow works actually. I pretty much understand how it works and what it does

I’m just trying to see how far I can go for security customization and compliance on inbound.

I don’t know how it goes in other countries, but France Mail providers and mainly GAFAM like ones like Google or Microsoft already shut down and don’t accept neither unencrypted, Unauthenticated TLS 1.0 + TLS 1.1.
Mails sent that way are simply rejected and it actually works pretty well in our country to reject bad mail providers.
That’s why I’m trying to replicate this.

Actually another good French Mail provider, Mailo is at least PCI DSS compiant and does replicate those conditions.

So I did understand and classify these results. I did that already and dug a lot of information from mailcow documentation (I read the link you specify in your answer).

Thing is : I want to change these inbound settings and reject what I want to be rejected and I can’t seem to find where I can change theses policies to do what I want it to do, neither in documentation, git repo or this community forum.

It does not really bother me if I keep using mailcow as a personnal mail server, since I don’t have to comply to any standard but if I want this solution to be viable for my compagny which does have to comply to at least PCI DSS, I need to be able to generate a compliance report that will be validated by ANSSI organization ( https://www.ssi.gouv.fr/

ssi.gouv.fr
https://www.ssi.gouv.fr/
No preview could be generated for this link
) and CNIL (cnil.fr Icon Particulier | CNIL
cnil.fr Icon cnil.fr
Particulier | CNIL
cnil.frcnil.frcnil.fr
).
For now reports from Immuniweb were valited successfully so I’m looking for the same settings on a self hosted solution.

Would you know of a way I could do this ?

@esackbauer Thank for your response.

I was actually tweaking this file as I found on this site : Mailcow - SMTP + SMTPD TLS 1.0 TLS1.1 deaktivieren

Dennis Schröder
Mailcow - SMTP + SMTPD TLS 1.0 TLS1.1 deaktivieren
Veraltete und als unsicher eingestufte TLSv1 und TLSv1.1 für Postfix unter Mailcow verbieten. Anleitung im Blogbeitrag.
but I did not achieve 100% of what I stated in this mail, so I wanted to tinker with settings and see how far I could go before I share what I found with the community.

I didn’t manage to check all cases I stated but I think I went far enough and found most of what I was looking for.

I did achieve PCI DSS green mark with A+ grade on (SMTP) SSL Security Test for ${FQDN}:25 with the following settings in /opt/mailcow-dockerized/data/conf/postfix/extra.cnf :
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
lmtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
lmtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256
smtpd_tls_eecdh_grade = ultra
I may play a bit with cipherlist another day to add more available. Seems a little bit too restrictive even for me.

I did play with tls auth only but Immuniweb still complains. At least it’s not RED and it does not concern PCI DSS so I won’t care much more.
I used these settings in extra.cnf :
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes

It also seems that Postfix does not have a way to implement OCSP Stampling so I gave up on that for now. It does not break PCI DSS compliance anyway so why bother.

I use pFsense + (laboratory free licence on a mini PC) and a commercial Netgate Appliance with pFsense + at work.

We tend to try and use Open Source as much as we can and I push my direction to pay for support or donate to these projects as much as I can at my level, so I would actually rather do what I can at home and present a solution which could match my convictions.
I may be a rare case and my impact is small but I try to push Open Source usage where I can, contrary to most companies in France who go Microsoft or Google, or any other commercial solution for ease of use and brain release.

SMTP AUTHENTICATION : Plain authentication without TLS available

This one is solved by using option smtpd_sasl_auth_enable = no globally but setting only this option in extra.cf disables the ability to use SMTP over TLS for outgoing…

Tried to play with some selectivity on enforcement, but it’s not easy to target a specific port in postfix and my knowledge is lacking at least for now to find a working combination.

From what I see in master.cf and main.cf, there is already some form of selectivity but it goes the reverse logic.
SASL is enabled globally in main.cf but it’s disabled for inter-mx with postscreen on 25/tcp in master.cf.

No one is typing