|
| 1 | +--- |
| 2 | +title: "Slightly Improving Mailcow Security" |
| 3 | +date: 2022-07-18 |
| 4 | +tags: ['Applications', 'Linux', 'Security'] |
| 5 | +author: Tommy |
| 6 | +--- |
| 7 | + |
| 8 | + |
| 9 | + |
| 10 | +Mailcow is a fairly popular self-hosted mail server. If you use it, there are a few ways you can improve its security by following these steps. |
| 11 | + |
| 12 | +## Postfix Configuration |
| 13 | + |
| 14 | +Consider disabling weak ciphers and TLS versions below 1.2 in `data/conf/postfix/extra.cf`: |
| 15 | + |
| 16 | +``` |
| 17 | +tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 |
| 18 | +tls_preempt_cipherlist = yes |
| 19 | +
|
| 20 | +smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 |
| 21 | +smtp_tls_ciphers = high |
| 22 | +smtp_tls_mandatory_ciphers = high |
| 23 | +
|
| 24 | +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 |
| 25 | +smtpd_tls_ciphers = high |
| 26 | +smtpd_tls_mandatory_ciphers = high |
| 27 | +``` |
| 28 | + |
| 29 | +## NGINX Configuration |
| 30 | + |
| 31 | +These security configurations can be added/modified in `data/conf/nginx/includes/site-defaults.conf`. |
| 32 | + |
| 33 | +## SSL Ciphers |
| 34 | + |
| 35 | +Consider only supporting ciphers matching that of TLSv1.3: |
| 36 | + |
| 37 | +``` |
| 38 | +ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; |
| 39 | +``` |
| 40 | + |
| 41 | +## HSTS |
| 42 | + |
| 43 | +Consider adding `includeSubDomains;`to the HSTS configuration if all of your services are using HTTPS: |
| 44 | + |
| 45 | +``` |
| 46 | +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
| 47 | +``` |
| 48 | + |
| 49 | +### X-XSS-Protection |
| 50 | + |
| 51 | +We will setup Content Security, so this header is no longer needed. In fact, it may do [more harm than good](https://github.com/helmetjs/helmet/issues/230). Change the setting to `0`: |
| 52 | + |
| 53 | +``` |
| 54 | +add_header X-XSS-Protection "0"; |
| 55 | +``` |
| 56 | + |
| 57 | +### Permission Policy |
| 58 | + |
| 59 | +Mailcow does not need any special permissions to operate, except for USB which is needed to access your FIDO2 keys if you use them. |
| 60 | + |
| 61 | +Add this header to deny other permissions: |
| 62 | + |
| 63 | +``` |
| 64 | +add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; |
| 65 | +``` |
| 66 | + |
| 67 | +### Content Security Policy |
| 68 | + |
| 69 | +Use the following as your [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#:~:text=Content%20Security%20Policy%20(CSP)%20is,site%20defacement%2C%20to%20malware%20distribution.): |
| 70 | + |
| 71 | +#### If you use Gravatar with SOGo |
| 72 | + |
| 73 | +``` |
| 74 | +add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'"; |
| 75 | +``` |
| 76 | + |
| 77 | +#### If you do not use Gravatar with SOGo |
| 78 | + |
| 79 | +``` |
| 80 | +add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'"; |
| 81 | +``` |
| 82 | + |
| 83 | +### Cross-Origin Opener, Resource, and Embedder Policies |
| 84 | + |
| 85 | +Mailcow does not use any cross site scripts, or documents. Thus, you should set CORP and COOP headers to their strictest configuration: |
| 86 | + |
| 87 | +``` |
| 88 | +add_header Cross-Origin-Opener-Policy same-origin; |
| 89 | +add_header Cross-Origin-Resource-Policy same-origin; |
| 90 | +``` |
| 91 | + |
| 92 | +If you do not use Gravatar with SOGo, you can also set COEP to require-corp since image embedding will not be used either: |
| 93 | + |
| 94 | +``` |
| 95 | +add_header Cross-Origin-Embedder-Policy require-corp; |
| 96 | +``` |
0 commit comments