• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Postfix with individual 2048bit DH group for PFS without Logjam, Poodle, FREAK

chris_cross

New Pleskian
Dear colleagues,
I tried to harden our plesk servers and encountered a problem with switching to individual dh keys.
We are running Postfix version 2.9.6-2 on Debian 7 boxes with Plesk 12.

First I removed SSLv3 and limited the Ciphers as proposed on the Guide to Deploying Diffie-Hellman for TLS. All excluded Ciphers won't be served. Never the less the newly created individual 2048bit DH key under /etc/ssl/dhparam.pem would not be used.

The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.

So I was wondering what is missing. I checked the postfix documentation, but could not find further help there.

I´ve kept the master.cf as is and changed the main.cf to this:

smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_cert_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_key_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem # this is an individual 2048bit key
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_ciphers = high

Do I have to modify the master.cf as well?
Here I found entries for every domain/ip:

plesk-domainname.com-1.2.3.4 - unix - n n - - smtp -o smtp_bind_address=1.2.3.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domainname.com

Do I have to add the -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file to those entries? I want to keep the setting permanent. I experienced in the past, that plesk tends to overwrite the setting I´ve made.

Does someone have a "best practise" for Postfix with Plesk for high security?
Finally I want to use only TLS1 - TLS1.2, secure ciphers and 2048 Diffie-Hellmann keys.

Thanks

Chris
 
Hi chris_cross,

The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.

Could you please explain, what makes you think, that your test - "tool" acts like a client and will perform a "starttls" command, so that your mail-server would respond with a procedure to negotiate the encryption method and the cipher usage? If this would be the case, then you would see such a request in your mail.log, as for example:
Code:
May 30 00:00:01 servername postfix/smtpd[12345]: connect from servername.domain.com[123.123.123.123]
May 30 00:00:01 servername postfix/smtpd[12345]: Anonymous TLS connection established from servername.domain.com[123.123.123.123]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
If the test "tool" doesn't negotiate encryption and cipher, then you will see:
Code:
May 30 00:00:01 servername postfix/smtpd[14453]: connect from servername.domain.com[123.123.123.123]
May 30 00:00:01 servername postfix/smtpd[14453]: lost connection after UNKNOWN from servername.domain.com[123.123.123.123]


You seem to think, that a mail-server acts the same way as a webserver, when using your test "tool". But this is not the case. Please use instead the openssl client to check:

for SMTP:
openssl s_client -CApath /etc/postfix/certs/ssl-cert-and-key.pem -starttls smtp -crlf -connect localhost:25 ( "localhost" can as well be the desired IP, or DOMAIN.COM )

for POP3:
openssl s_client -CApath /path/to/your/server_and_chain_certificate.pem -starttls pop3 -crlf -connect localhost:110 ( "localhost" can as well be the desired IP, or DOMAIN.COM )

for IMAP:
openssl s_client -CApath /path/to/your/server_and_chain_certificate.pem -starttls imap -crlf -connect localhost:143 ( "localhost" can as well be the desired IP, or DOMAIN.COM )


Please check as well with "sslscan DOMAIN.COM | grep Accepted" for unsecure cipher suites ( if you don't already have "sslcan" installed, please use "apt-get install sslscan" ).


As an addition, you might use "tls_preempt_cipherlist = yes" to ignore some remote SMTP clients preference to use cipher suites without forward secrecy and force them to use - but please be aware that this may cause issues/problems with some older Exchange servers.


The recommended usage is indeed, to define in "master.cf"
Code:
        -o smtpd_tls_dh1024_param_file=${config_directory}/dhparam.pem
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
... where "${config_directory}/" could as well cause issues/problems, so that the full path is recommended ( in your case: "/etc/ssl/dhparam.pem" ).


To complete my recommendations, I add a full example, for a server with at least 2 IPs:
Code:
# ================================================================================
plesk-first-DOMAIN.COM-123.123.123.123- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/your_full_path/to_your/crt_or_key/mail.first-DOMAIN.COM.key
    -o smtpd_tls_cert_file=/your_full_path/to_your/crt_or_key/mail.first-DOMAIN.COM.crt
    -o smtp_bind_address=123.123.123.123
    -o smtp_bind_address6=2001:0ab18:12a3:0000:0000:1a2e:0000:0001
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=first-DOMAIN.COM
    -o myhostname=mail.first-DOMAIN.COM
# ================================================================================
plesk-second-DOMAIN.COM-123.123.123.124- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/your_full_path/to_your/crt_or_key/mail.second-DOMAIN.COM.key
    -o smtpd_tls_cert_file=/your_full_path/to_your/crt_or_key/mail.second-DOMAIN.COM.crt
    -o smtp_bind_address=123.123.123.124
    -o smtp_bind_address6=2001:0ab18:12a3:0000:0000:1a2e:0000:0002
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=second-DOMAIN.COM
    -o myhostname=mail.second-DOMAIN.COM
# ================================================================================

Please always make a backup of your current working "main.cf" and "master.cf", because Plesk may indeed overwrite some settings/definitions, during updates/upgrades or patches!



As well, I would like to link to "http://www.postfix.org/FORWARD_SECRECY_README.html" for more informations about "forward secrecy" and postfix.
 
Thanks for your reply. I did not get the notification, so sorry for the delayed reply.
Besides the online tool I used a self written shell script using openssl s_client and gutls for verification similar to what you proposed.

The important hint has been the proper use of the master.cf.

Thanks!
 
Back
Top