Hello all,
I did a test for a new MiaB instance via internet.nl. I got an 97% score for email and 95% for web which is pretty neat! But, in security I would like to have the highest score possible, so I would like to see what I could do or could be updated to gain a 100% score.
The following things are insufficient in the email server test:
- TLS Version: TLS 1.0 (not sure) and TLS 1.1 are still supported.
- Ciphers: AES256-GCM-SHA384 is selected as Cipher
- Key Exchange parameters: At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange. Affected parameters: DH-2048
The following things are insufficient in the web server test:
- HTTP Compression: enabled and could possibly be a security risk
-
HSTS policy: web server offers an HSTS policy with a cache validity period (
max-age
) that is not sufficiently long (i.e. less than 1 year). max-age=15768000 (generally, you want to set a custom HTTP header for Strict-Transport-Security with the value max-age=31536000) - Key Exchange parameters: Web server supports insufficiently secure parameters for Diffie-Hellman key exchange. affected parameters: DH-2048
- No security options are selected, see: Security options
internet.nl has a very good reputation and is backed by many organisations in the Netherlands. See About Internet.nl for more information.
I hope we can make MiaB as safe as possible and hopefully the above ‘insufficient’ matters can be fixed by default.
Sincerely,
Spyros