AW: TLS Security

Thu Jul 15 15:55:36 EEST 2021

Hi Justina,

Kali tools is of course extremly unprecise. Excuse me, I had a long stressful day and wanted to get this out before the end of the Day. Kali is a rolling release, which I update regularly. By Kali Tools I of course meant the Greenbone Community Edition, of which the former and more well-known OpenVAS is now only one possibly multiple scanners.

The mailserver itself is based on Debian which currently 10.10 (11.0 is going to be released in a few days). I upgraded the dovecot components from backports but this caused no change. I am currently considering getting the Bullseye RC2 and then testing on it but I am of course open for any other suggestions. Maybe someone with more knowledge of postfix can add or point out advisable changes to these settings.

Yours sincerely
Stefan

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

________________________________
Von: justina colmena ~biz <justina at colmena.biz>
Gesendet: Mittwoch, 14. Juli 2021 18:50
An: dovecot at dovecot.org <dovecot at dovecot.org>; Stefan Schumacher <s.schumacher at consulting1x1.com>
Betreff: Re: TLS Security

Interesting.

Assuming your "Kali" tools are in fact up to date to test with newer protocols TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS library or whatever it uses to support the newer TLS protocols?

Definitely an outdated cipher issue, on Postfix as well as Dovecot....

On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher <s.schumacher at consulting1x1.com> wrote:

Hi,

I wish to build a new secure email server. It seems I am on the right way – at least I get no more error messages for Postfix – but Dovecot is still making trouble.

I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the rough configuring and nano and whats left of my brain to do the finer details. Lets start with what I added to conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem

ssl_key = </etc/letsencrypt/live/servername/privkey.pem

ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$

ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

ssl_min_protocol = TLSv1.2

As you can see, I clearly do not want to use TLS before v1.2. I think this is not unreasonable in the year 2021.

Now, after the changes I ran Kali (I use it to verify the results of my experiments)

and - this is a mailing list, so no screenshots:

It says:

SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports 143, 110, 993 and 995.

I thought I had done everything one could to disable old TLS-Versions. What am I doing wrong?

Yours sincerely

Stefan Schumacher

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210715/1feff398/attachment.html>