1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Add Mailcow configurations (#102)

* Add Mailcow configurations

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-12-27 17:11:30 -05:00 committed by GitHub
parent d61a0869d9
commit 866e40cf51
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 96 additions and 0 deletions

View File

@ -0,0 +1,96 @@
---
title: "Slightly Improving Mailcow Security"
date: 2022-07-18
tags: ['Applications', 'Linux', 'Security']
author: Tommy
---
![Mailcow](/images/mailcow.png)
Mailcow is a fairly popular self-hosted mail server. If you use it, there are a few ways you can improve its security by following these steps.
## Postfix Configuration
Consider disabling weak ciphers and TLS versions below 1.2 in `data/conf/postfix/extra.cf`:
```
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
tls_preempt_cipherlist = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
```
## NGINX Configuration
These security configurations can be added/modified in `data/conf/nginx/includes/site-defaults.conf`.
## SSL Ciphers
Consider only supporting ciphers matching that of TLSv1.3:
```
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
```
## HSTS
Consider adding `includeSubDomains;`to the HSTS configuration if all of your services are using HTTPS:
```
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
```
### X-XSS-Protection
We will setup Content Security, so this header is no longer needed. In fact, it may do [more harm than good](https://github.com/helmetjs/helmet/issues/230). Change the setting to `0`:
```
add_header X-XSS-Protection "0";
```
### Permission Policy
Mailcow does not need any special permissions to operate, except for USB which is needed to access your FIDO2 keys if you use them.
Add this header to deny other permissions:
```
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
```
### Content Security Policy
Use the following as your [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#:~:text=Content%20Security%20Policy%20(CSP)%20is,site%20defacement%2C%20to%20malware%20distribution.):
#### If you use Gravatar with SOGo
```
add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
```
#### If you do not use Gravatar with SOGo
```
add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
```
### Cross-Origin Opener, Resource, and Embedder Policies
Mailcow does not use any cross site scripts, or documents. Thus, you should set CORP and COOP headers to their strictest configuration:
```
add_header Cross-Origin-Opener-Policy same-origin;
add_header Cross-Origin-Resource-Policy same-origin;
```
If you do not use Gravatar with SOGo, you can also set COEP to require-corp since image embedding will not be used either:
```
add_header Cross-Origin-Embedder-Policy require-corp;
```

BIN
static/images/mailcow.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 877 KiB