From f0df390d12fcda51139c0d47fdfee957197c653d Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 14 Sep 2017 13:34:07 +0200
Subject: [PATCH 1/2] [Nginx] Stricter TLS settings

---
 data/conf/nginx/site.conf | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index 6cd711e08..5e47aa8b6 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -15,26 +15,19 @@ server {
   include /etc/nginx/mime.types;
   charset utf-8;
   override_charset on;
+
   ssl on;
   ssl_certificate /etc/ssl/mail/cert.pem;
   ssl_certificate_key /etc/ssl/mail/key.pem;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_protocols TLSv1.2;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_prefer_server_ciphers on;
-  ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
-
   add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  add_header Strict-Transport-Security max-age=15768000;
 
-  #ssl_session_cache shared:SSL:50m;
-  #ssl_session_timeout 1d;
-  #ssl_session_tickets off;
-
-  #add_header X-Frame-Options SAMEORIGIN;
-  #add_header X-Content-Type-Options nosniff;
-  #add_header X-XSS-Protection "1; mode=block";
-  #add_header Referrer-Policy: no-referrer-when-downgrade;
-  #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
-
-  ssl_ecdh_curve secp384r1;
   index index.php index.html;
   include /etc/nginx/conf.d/server_name.active;
   error_log  /var/log/nginx/error.log;

From 089e8776f5cca5e56cf5180fb912f342a1ee91ff Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 14 Sep 2017 13:34:19 +0200
Subject: [PATCH 2/2] [Postfix] Stricter TLS settings for mandatory connections

---
 data/conf/postfix/main.cf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index fe6fd3ab6..cbdb2837d 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -69,11 +69,11 @@ smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
 smtpd_tls_eecdh_grade = strong
 smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
 smtpd_tls_loglevel = 1
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_protocols = !SSLv2, !SSLv3
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
-lmtp_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+lmtp_tls_protocols = !SSLv2, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_security_level = may