1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-11-13 18:11:33 -05:00
privsec.dev/content/posts/linux/Slightly Improving Mailcow Security.md
Thien Tran c162d22c35
Disable gzip compression for mailcow
Signed-off-by: Thien Tran <contact@tommytran.io>
2023-08-25 15:28:59 -07:00

4.1 KiB

title date tags author
Slightly Improving Mailcow Security 2022-07-18
Applications
Linux
Security
Tommy

Mailcow

Mailcow is a fairly popular self-hosted mail server. If you use it, there are a few ways you can improve its security by following these steps.

Postfix Configuration

Consider disabling weak ciphers and TLS versions below 1.2 in data/conf/postfix/extra.cf:

tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
tls_preempt_cipherlist = yes

smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high

smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high

NGINX Configuration

These security configurations can be added/modified in data/conf/nginx/includes/site-defaults.conf.

SSL Ciphers

Consider only supporting strong ciphers:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

And prioritize ChaCha ciphers:

ssl_conf_command Options PrioritizeChaCha;

HSTS

Consider adding includeSubDomains; and preload; to the HSTS configuration if all of your services are using HTTPS:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

X-XSS-Protection

We will setup Content Security, so this header is no longer needed. In fact, it may do more harm than good. Change the setting to 0:

add_header X-XSS-Protection "0";

Permission Policy

Mailcow does not need any special permissions to operate, except for USB which is needed to access your FIDO2 keys if you use them.

Add this header to deny other permissions:

add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";

Content Security Policy

Use the following as your Content Security Policy:

If you use Gravatar with SOGo

add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'";

If you do not use Gravatar with SOGo

add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'";

Cross-Origin Resource, Opener, and Embedder Policies

Mailcow does not use any cross site scripts, or documents. Thus, you should set CORP and COOP headers to their strictest configuration:

add_header Cross-Origin-Resource-Policy same-origin;
add_header Cross-Origin-Opener-Policy same-origin;

If you do not use Gravatar with SOGo, you can also set COEP to require-corp since image embedding will not be used either:

add_header Cross-Origin-Embedder-Policy require-corp;

GZIP Compression

Disable gzip compression to avoid the BREACH attack. Change gzip on; to gzip off;.