postfix main.cf

nhybgtvfr

can anyone confirm if i can make changes to /etc/postfix/main.cf they won't be overridden by any future updates.

or should i make any changes in
/var/local/enhance/default_email_configs/postfix/main.cf instead?
or will any changes there also get overwritten by any updates?

Adam

Changes to this file, with the exception of settings managed by Enhance (such as relayhost and myhostname), will persist.

jwaibel

amm i allowed to suggest to use more secure defaults?

mail.muster-firma.de. TLS 1.3 good
... TLS 1.2 sufficient
... TLS 1.1 phase out
... TLS 1.0 phase out
Everything below TLS V1.2 should not be in any config anymore!

Same for Ciphers:
mail.muster-firma.de. CAMELLIA128-SHA256 phase out

ECDHE-ECDSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
ECDHE-ECDSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
ECDHE-ECDSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]
ECDHE-RSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
ECDHE-RSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
ECDHE-RSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]

Sufficient:

ECDHE-ECDSA-AES256-SHA384 [1.2]
ECDHE-ECDSA-AES256-SHA [1.0]
ECDHE-ECDSA-AES128-SHA256 [1.2]
ECDHE-ECDSA-AES128-SHA [1.0]
ECDHE-RSA-AES256-SHA384 [1.2]
ECDHE-RSA-AES256-SHA [1.0]
ECDHE-RSA-AES128-SHA256 [1.2]
ECDHE-RSA-AES128-SHA [1.0]
DHE-RSA-AES256-GCM-SHA384 [1.2]
DHE-RSA-CHACHA20-POLY1305 [1.2]
DHE-RSA-AES128-GCM-SHA256 [1.2]
DHE-RSA-AES256-SHA256 [1.2]
DHE-RSA-AES256-SHA [1.0]
DHE-RSA-AES128-SHA256 [1.2]
DHE-RSA-AES128-SHA [1.0]

And also the last one in this list:

Mail server (MX) Affected parameters Security level
mail.muster-firma.de. DH-2048 insufficient

Updating any of those to be more secure will not harm any communications, so i only can suggest enhance.com to do put that on a near future update.