LibreLAMP Mail Server Packages

LibreLAMP is a collection of RPM Packages providing an alternate LAMP stack linked against LibreSSL, replacing the RHEL/CentOS 7 provided LAMP stack, which is linked against OpenSSL.

This page describes Mail Server software linked against LibreSSL that is provided in the LibreLAMP package repository.

For installation instructions, please see the LibreLAMP Installation page.



Postfix Packaging Notes

[Postfix Mouse Mascot]

RHEL/CentOS 7 ships with Postfix 2.10.1. LibreLAMP has Postfix 2.11.11, based on the Fedora 21 source RPM.

One of the really nice new features in the 2.11.x branch is PKI-less TLS server certificate verification based on DANE.

Since the 2.11.x branch of Postfix is officially ‘End of Life’ LibreLAMP will soon be migrating to the Postfix 3.2.x branch, based on the Fedora 25 RPM for Postfix 3.2.5. The package does currently build and works but a migration guide from 2.10.x/2.11.x needs to be written, there are some significant configuration changes.

Dovecot Packaging Notes

[Dovecot Logo]

RHEL/CentOS 7 ships with Dovecot 2.2.10. LibreLAMP provides Dovecot 2.3.3.

If you are upgrading an existing Dovecot install, there are some configuration changes you need to be aware of. Please see the Dovecot Configuration page for more details.

Previously LibreLAMP shipped Dovecot 2.2.27 but there are clear benefits to the 2.3.x update and the 2.2.x branch will be end of life soon.


DH Parameter Notes

By default, both Postfix and Dovecot as packaged here will use the file /etc/pki/tls/dh2048.pem for the DH parameters when using a TLS cipher suite that uses DHE.

That file is regenerated once a day by the cron script /etc/cron.daily/generate_dh_params.sh

Other secure options you can use:

  • /etc/pki/tls/dh3072.pem (custom generated weekly)
  • /etc/pki/tls/dh4096.pem (custom generated weekly)
  • /etc/pki/tls/MODP-IKE-2048-group14.pem (RFC 3526 group)
  • /etc/pki/tls/MODP-IKE-3072-group15.pem (RFC 3526 group)
  • /etc/pki/tls/MODP-IKE-4096-group16.pem (RFC 3526 group)
  • /etc/pki/tls/MODP-IKE-6144-group17.pem (RFC 3526 group)

The RFC 3526 groups are well-studied groups which can have advantages over poorly selected groups that may contain primes with certain vulnerable characteristics. Some administrators prefer to use the RFC 3526 groups over custom generated groups that have not been studied at all. Server software (like Apache) often has the RFC 3526 groups hard-coded and uses them by default when custom groups are not specified.

Others (including myself) trust the DH generation of LibreSSL not to be poor and to produce parameters that are safe. Even though these recently generated groups have not been studied, we prefer to use frequently changing parameters no one has studied. There is a risk that the LibreSSL library has a bug in its own validation that the generated group is quality.

You should NOT use DH parameters below 2048-bit, it may be possible for well-funded attackers to break them which means at some point soon it will be possible for mediocre funded attackers to break them. It is insane to use DH parameters below 1024-bit, they can be broken cheaply.

Please see https://weakdh.org/ for more information on weak DH parameters.


Source

All software packages in LibreLAMP are Free Libre Open Source Software licensed under various FLOSS licenses.

The source code, including all patches, can be obtained in Source RPM packages located at http://awel.domblogger.net/7/libre/src/repoview/.