<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="margin:0px; font-size:12pt">Hi Justina,</span> </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt"><br>
</div>
<span style="margin:0px; font-size:12pt">Kali tools is of course extremly unprecise. Excuse me, I had a long stressful day and wanted to get this out before the end of the Day. Kali is a rolling release, which I update regularly. By Kali Tools I of course meant
the Greenbone Community Edition, of which the former and more well-known OpenVAS is now only one possibly multiple scanners. </span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
The mailserver itself is based on Debian which currently 10.10 (11.0 is going to be released in a few days). I upgraded the dovecot components from backports but this caused no change. I am currently considering getting the Bullseye RC2 and then testing on
it but I am of course open for any other suggestions. Maybe someone with more knowledge of postfix can add or point out advisable changes to these settings.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Yours sincerely </div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Stefan</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
smtpd_use_tls = yes
<div>smtpd_tls_cert_file = /etc/postfix/smtpd.cert</div>
<div>smtpd_tls_key_file = /etc/postfix/smtpd.key</div>
<div>smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache</div>
<div>smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache</div>
<div><br>
</div>
<div>smtpd_tls_eecdh_grade = strong</div>
<div>smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1</div>
<div>smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1</div>
<div>smtpd_tls_mandatory_ciphers = high</div>
<div>smtpd_tls_security_level=may</div>
<div>smtpd_tls_ciphers = high</div>
<div>tls_preempt_cipherlist = yes</div>
<div>smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL</div>
<div>smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL</div>
<div>smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1</div>
<span>smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Von:</b> justina colmena ~biz <justina@colmena.biz><br>
<b>Gesendet:</b> Mittwoch, 14. Juli 2021 18:50<br>
<b>An:</b> dovecot@dovecot.org <dovecot@dovecot.org>; Stefan Schumacher <s.schumacher@consulting1x1.com><br>
<b>Betreff:</b> Re: TLS Security</font>
<div> </div>
</div>
<div dir="ltr">Interesting.<br>
<br>
Assuming your "Kali" tools are in fact up to date to test with newer protocols TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS library or whatever it uses to support the newer TLS protocols?<br>
<br>
Definitely an outdated cipher issue, on Postfix as well as Dovecot....<br>
<br>
<br>
<div class="x_gmail_quote">On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher <s.schumacher@consulting1x1.com> wrote:
<blockquote class="x_gmail_quote" style="margin:0pt 0pt 0pt 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
Hi,</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
I wish to build a new secure email server. It seems I am on the right way – at least I get no more error messages for Postfix – but Dovecot is still making trouble.
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the rough configuring and nano and whats left of my brain to do the finer details. Lets start with what I added to conf.d/10-ssl.conf</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
ssl_key = </etc/letsencrypt/live/servername/privkey.pem</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
ssl_min_protocol = TLSv1.2</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
As you can see, I clearly do not want to use TLS before v1.2. I think this is not unreasonable in the year 2021.
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
Now, after the changes I ran Kali (I use it to verify the results of my experiments)</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
and - this is a mailing list, so no screenshots:</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
It says:</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports 143, 110, 993 and 995.</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
I thought I had done everything one could to disable old TLS-Versions. What am I doing wrong?</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
<br>
</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
Yours sincerely</p>
<p style="margin-top: 0px; margin-bottom: 0px;margin-top: 0px; margin-bottom: 0px;margin-bottom:0cm; line-height:100%; background:transparent">
Stefan Schumacher</p>
<br>
</div>
</blockquote>
</div>
<br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</div>
</body>
</html>