1

Topic: performance vs security on 1 GB droplet

After realizing that a 512MB droplet just can't handle the load I switched over to a

1 GB droplet (+ 2GB swap)
irdmail standard install
commercial SSL certificate
greylisting disabled

Performance is good using standard settings.
I also enabled SSL stapling and I think (or want to believe) that it's even a tick faster now.

Security with standard settings is an acceptable A- (via SSLLABS test)

The test is complaining that:
- there is no Strict-Transport-Security in place
- server does not support Forward Secrecy

However, if I enable any of the two above my mailbox freezes right after I send out a single email.

My question is:
Is this happening because of low RAM or does iredmail simply not support these additional security measures?


==== Required information ====
- iRedMail version: 0.9.0.
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGINX
- Linux/BSD distribution name and version: 14.04
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: performance vs security on 1 GB droplet

jimmicarson wrote:

The test is complaining that:
- there is no Strict-Transport-Security in place
- server does not support Forward Secrecy

I wonder what 'Strict-Transport-Security' and 'Forward Secrecy' are.

3 (edited by jimmicarson 2015-05-08 22:18:12)

Re: performance vs security on 1 GB droplet

I'm sorry I didn't make it more clear since I'm new to this and was not sure what's common knowledge around server admins. These are strictly SSL related features that have nothing to do with the iredmail software package. Basically these measures provide an extra layer of security in protecting information exchange between client and mailserver.

Forward Secrecy ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
More info here: https://en.wikipedia.org/wiki/Forward_secrecy


HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.
More info here: https://en.wikipedia.org/wiki/HTTP_Stri … t_Security

SInce not many people seem to be aware of this I assume that enhanced SSL encryption is simply to overwhelming for a 1 GIG RAM server that is already struggling with running iredmail smoothly. If that's the case then I'll just accept that you can't have it all on a $10/month server.

4

Re: performance vs security on 1 GB droplet

If your version of Nginx supports it, then it will work. You have to think of iRedMail as an installer and set of configs, since we don't build the packages ourselves we use the official repos, so everything supported officially on your distro will be supported natively.