AW: TLS Security

Aki Tuomi aki.tuomi at open-xchange.com
Thu Jul 15 16:52:14 EEST 2021 

https://testssl.sh/

Aki

> On 15/07/2021 16:51 Stefan Schumacher <s.schumacher at consulting1x1.com> wrote:
> 
> 
> Hi Aki,
> 
> 
> Where do I get testssh.sl? If the script is of your design could you mail it to me?
> 
> 
> Yours
> Stefan
> 
> ------------------------------
> Von: Aki Tuomi <aki.tuomi at open-xchange.com>
>  Gesendet: Mittwoch, 14. Juli 2021 19:34
>  An: Stefan Schumacher <s.schumacher at consulting1x1.com>; dovecot at dovecot.org <dovecot at dovecot.org>
>  Betreff: Re: TLS Security
> 
>  > On 14/07/2021 17:55 Stefan Schumacher <s.schumacher at consulting1x1.com> wrote:
>  > 
>  > 
>  > Hi,
>  > 
>  > 
>  > I wish to build a new secure email server. It seems I am on the right way – at least I get no more error messages for Postfix – but Dovecot is still making trouble.
>  > 
>  > 
>  > I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the rough configuring and nano and whats left of my brain to do the finer details. Lets start with what I added to conf.d/10-ssl.conf
>  > 
>  > 
>  > ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem
>  > ssl_key = </etc/letsencrypt/live/servername/privkey.pem
>  > 
>  > 
>  > ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$
>  > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>  > ssl_min_protocol = TLSv1.2
>  > 
>  > 
>  > As you can see, I clearly do not want to use TLS before v1.2. I think this is not unreasonable in the year 2021.
>  > 
>  > 
>  > Now, after the changes I ran Kali (I use it to verify the results of my experiments)
>  > and - this is a mailing list, so no screenshots:
>  > It says:
>  > 
>  > 
>  > SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports 143, 110, 993 and 995.
>  > 
>  > 
>  > I thought I had done everything one could to disable old TLS-Versions. What am I doing wrong?
>  > 
>  > 
>  > Yours sincerely
>  > Stefan Schumacher
>  > 
>  >
>  
>  Hi!
>  
>  First of all, 2.3.4.1 is bit old, and has no proper support for TLSv1.3, which is supported better on a later version. Now, I installed 2.3.4.1 from debian 10, and tested with testssl.sh and got
>  
>  SSLv2 not offered (OK)
>  SSLv3 not offered (OK)
>  TLS 1 not offered
>  TLS 1.1 not offered
>  TLS 1.2 offered (OK)
>  TLS 1.3 offered (OK): final
>  NPN/SPDY not offered
>  ALPN/HTTP2 not offered
>  
>  TLSv1.2 (no server order, thus listed by strength)
>  xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
>  xc028 ECDHE-RSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
>  xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
>  xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
>  xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 521 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 
>  xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 521 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 
>  xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
>  xc027 ECDHE-RSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
>  xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
>  xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 521 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 
>  xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 521 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 
>  TLSv1.3 (no server order, thus listed by strength)
>  x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 
>  x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 
>  x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 
>  
>  I used:
>  
>  listen = *
>  mail_attribute_dict = file:%h/Mail/dovecot-attributes
>  mail_gid = vmail
>  mail_home = /home/vmail/%Lu
>  mail_location = sdbox:~/Mail
>  mail_uid = vmail
>  passdb {
>  args = password=#hidden_use-P_to_show#
>  driver = static
>  }
>  protocols = imap
>  ssl_cert = <cert.pem
>  ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA
>  ssl_dh = # hidden, use -P to show it
>  ssl_key = # hidden, use -P to show it
>  ssl_min_protocol = TLSv1.2
>  
>  Aki
>

More information about the dovecot mailing list