confused with ssl settings and some error - need help
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 or maybe should be: ssl_protocols = !SSLv2 !SSLv3
- Last thing. I have below errors (they appear in loop in mail.err log file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client try connect and can't establish connection?
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
This looks rather cumbersome way to define ciphers.
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into trouble.
or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have below errors (they appear in loop in mail.err log file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client try connect and can't establish connection?
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Aki
Thank You for answers. But: lines looks exactly this same and no errors in mail.err file and mailes
- How should be properly configured ssl_cipher_list?
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two
works without any problem. 4. No, currently I don't use LMTP.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA
This looks rather cumbersome way to define ciphers.
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into trouble.
or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have below errors (they appear in loop in mail.err log file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client
don't try
connect and can't establish connection?
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Aki
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Thank You for answers. But:
- How should be properly configured ssl_cipher_list?
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem.
- No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA
This looks rather cumbersome way to define ciphers.
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into trouble.
or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have below errors (they appear in loop in mail.err log file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client
don't try
connect and can't establish connection?
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Aki
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err.
2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Thank You for answers. But:
- How should be properly configured ssl_cipher_list?
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:! 3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem.
- No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis@poliman.pl>
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA
This looks rather cumbersome way to define ciphers.
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into
wrote: trouble.
or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have below errors (they appear in loop in mail.err
log
file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client
don't try
connect and can't establish connection?
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Aki
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test still gives errors: Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis@poliman.pl>:
Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err.
2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Thank You for answers. But:
- How should be properly configured ssl_cipher_list?
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem.
- No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis@poliman.pl>
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA
This looks rather cumbersome way to define ciphers.
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into
wrote: trouble.
or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have below errors (they appear in loop in mail.err
log
file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client
don't try
connect and can't establish connection?
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Aki
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
What kind of test are you running?
Aki
On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis@poliman.pl> wrote:
I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test still gives errors: Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis@poliman.pl>:
Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err.
2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Thank You for answers. But:
- How should be properly configured ssl_cipher_list?
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem.
- No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis@poliman.pl>
Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA
This looks rather cumbersome way to define ciphers.
- Are these settings good or can be improved?
- Is this line proper: ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into
wrote: trouble.
or maybe should be: ssl_protocols = !SSLv2 !SSLv3 3. Last thing. I have below errors (they appear in loop in mail.err
log
file): #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
When I setup in postfix main.cf file (other lines default): tls_ssl_options = no_ticket, no_compression tls_preempt_cipherlist = yes smtpd_sasl_security_options=noanonymous,noplaintext smtpd_sasl_tls_security_options=noanonymous,noplaintext smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
know what should be setup smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client
don't try
connect and can't establish connection?
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Aki
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Internal PCI Scan on Tenable.io website. Of course after register account.
2017-04-30 9:11 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
What kind of test are you running?
Aki
On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis@poliman.pl> wrote:
I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test still gives errors: Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis@poliman.pl>:
Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err.
2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Thank You for answers. But:
- How should be properly configured ssl_cipher_list?
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these
lines looks exactly this same and no errors in mail.err file and mailes works without any problem. 4. No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
> On April 27, 2017 at 8:12 AM Poliman - Serwis <
> > > Hi, > To default dovecot.conf file I added (based on found documentation): > ssl = required > disable_plaintext_auth = yes #change default 'no' to 'yes' > ssl_prefer_server_ciphers = yes > ssl_options = no_compression > ssl_dh_parameters_length = 2048 > ssl_cipher_list = > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- CBC3-SHA:!KRB5-DES-CBC3-SHA >
This looks rather cumbersome way to define ciphers.
> 1. Are these settings good or can be improved? > 2. Is this line proper: > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into
serwis@poliman.pl> wrote: trouble.
> or maybe should be: > ssl_protocols = !SSLv2 !SSLv3 > 3. Last thing. I have below errors (they appear in loop in
mail.err log
> file): > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
two protocol
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record > mac > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
> > When I setup in postfix main.cf file (other lines default): > tls_ssl_options = no_ticket, no_compression > tls_preempt_cipherlist = yes > smtpd_sasl_security_options=noanonymous,noplaintext > smtpd_sasl_tls_security_options=noanonymous,noplaintext > smtpd_tls_mandatory_ciphers = high > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't > know what should be setup > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > Is between dovecot and postfix some communication using above ciphers or > something that generate that errors in log or maybe some public client try > connect and can't establish connection? >
If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.
> Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl > 1.0.2k. > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > *tel. 534 555 877* > > *serwis@poliman.pl <serwis@poliman.pl>*
Aki
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
Then it's rather expected that you'll get some TLS errors, especially when tenable.io tests for algorithms to see which ones work and which ones wont.
Aki
On May 5, 2017 at 8:21 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Internal PCI Scan on Tenable.io website. Of course after register account.
2017-04-30 9:11 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
What kind of test are you running?
Aki
On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis@poliman.pl> wrote:
I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test still gives errors: Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis@poliman.pl>:
Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err.
2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis@poliman.pl> wrote:
Thank You for answers. But:
- How should be properly configured ssl_cipher_list?
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- Ok, removed !TLSv1 !TLSv1.1.
- Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these
lines looks exactly this same and no errors in mail.err file and mailes works without any problem. 4. No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi@dovecot.fi>:
> > > On April 27, 2017 at 8:12 AM Poliman - Serwis <
> > > > > > Hi, > > To default dovecot.conf file I added (based on found documentation): > > ssl = required > > disable_plaintext_auth = yes #change default 'no' to 'yes' > > ssl_prefer_server_ciphers = yes > > ssl_options = no_compression > > ssl_dh_parameters_length = 2048 > > ssl_cipher_list = > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- > CBC3-SHA:!KRB5-DES-CBC3-SHA > > > > This looks rather cumbersome way to define ciphers. > > > 1. Are these settings good or can be improved? > > 2. Is this line proper: > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > > Well if you only want to support TLSv1.2, which might lead into
serwis@poliman.pl> wrote: trouble.
> > > or maybe should be: > > ssl_protocols = !SSLv2 !SSLv3 > > 3. Last thing. I have below errors (they appear in loop in mail.err log > > file): > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
two protocol
> > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record > > mac > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher > > This means your client did not support your enabled ciphers. > > > > > When I setup in postfix main.cf file (other lines default): > > tls_ssl_options = no_ticket, no_compression > > tls_preempt_cipherlist = yes > > smtpd_sasl_security_options=noanonymous,noplaintext > > smtpd_sasl_tls_security_options=noanonymous,noplaintext > > smtpd_tls_mandatory_ciphers = high > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I > don't > > know what should be setup > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > ECDHE-RSA-DES-CBC3-SHA, > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > aECDH, > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > > > Is between dovecot and postfix some communication using above ciphers or > > something that generate that errors in log or maybe some public client > try > > connect and can't establish connection? > > > > If you are using LMTP, then some of those settings will cause changes in > how LMTP works as well. > > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl > > 1.0.2k. > > -- > > > > *Pozdrawiam / Best Regards* > > *Piotr Bracha* > > > > > > > > > > *tel. 534 555 877* > > > > *serwis@poliman.pl <serwis@poliman.pl>* > > Aki >
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
--
*Pozdrawiam / Best Regards* *Piotr Bracha*
*tel. 534 555 877*
*serwis@poliman.pl <serwis@poliman.pl>*
participants (2)
-
Aki Tuomi
-
Poliman - Serwis