I get some warning on my server when scanning my server 1) HSTS Missing From HTTPS Server 2) SMTP Service Cleartext Login Permitted how do I add the HSTS on cents 7? is there a way to turn off cleartext login in SMTP?
HSTS is not mandatory - except you feel that you really need to send everything over https per default which: - increases server load due to https use - requires valid certificates if you don't want users to leave because they don't like to add custom signed certs, even they can be more secure than anything a 3rd party offers - may cause issues for certain applications like if you need to send a referer to your advertising partner But if you really want that, you just need to follow some easy instructions for your webserver. If you use Apache for example: -You need to $a2enmod headers after you installed ssl certificates and made sure it's working -Add the following entry to your additional vhost entries list: Code: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" You may also check your ssl config to protect your server against some common attack vectors to old protocols Code: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256 SSLHonorCipherOrder on Fore more informations on the syntax check the corresponding RFC 6797 For your Mail-Authentification you may need to adjust your postfix and dovecot services. For Postfix check this entry. Also don't use old protocols: main.cf Code: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 Dovecot don't use old protocls, in /etc/dovecot.conf Code: ssl_protocols = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2:SSLv3 And for TLS enforcement check Dovecot configuration page. This is by no means a complete howto, I think I'm missing some changes in postfix master.cf ( after reading linked pages ) But I don't know how much help you need to do what you intended, so if there are any further questions, please feel free to reply
when I include the following header in apache directive I still get " strict transfer security (HSTS ) = NO in ssllabs.com Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Sorry, my fault - the Header is for SSL vhost configuration only, you have to permanent redirect non http requests to https. For the SSL options and the HSTS header you could modify your template file /usr/local/ispconfig/server/conf/vhost.conf.master just look for the starting condition: <tmpl_if name='ssl_enabled'> and adjust it to your needs. However this change will affect every domain then. I haven't checked wether there is an issue sending the hsts header to non https-connections, if it's working you probably don't need to modify the template. You can use ISPConfig redirect settings or htaccess/httpd option: Code: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> And in addition to that you can also use htaccess/httpd option to set the header for https only: Code: Header set Strict-Transport-Security "max-age=31536000" env=HTTPS I'm not sure about the ssl options, would need to look up the docs or let you try
