Resolved Two words about Postfix and SSL/TLS

[OverWolf]

Hi,

I'm trying to configure Roundcube to use postfix with TLS but I have some trouble with error 250/220 so I've tried to use PHP function (webmail/roundcube is on the same server of postfix). Now I can send email, but my question is about security: is this mode (php mail) secure ? Or should I configure smtpd submission ?

Other question is about this log :

postfix/smtpd[22870]: warning: TLS library problem: 22870:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1435:

I've seen that from two server I have this "problem". I know that I have exclude some ciphers, but I have done this for security reason because those ciphers are old and deprecate. This is my main.cf

smtp_tls_exclude_ciphers = aNULL, eNULL, LOW, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, SSLv2, SSLv3

My question is about, how to know which ciphers is used from that server that now cannot "talk" with my server ?


My last question is about an IP that continue to try to use my server but the connection is lost after AUTH. This is the log :

postfix/smtpd[22692]: lost connection after AUTH from unknown[179.125.24.179]
postfix/smtpd[22692]: disconnect from unknown[179.125.24.179]

Is there a fail2ban filter that can ban client that try to connect and disconnect to much times?

Thank you

 

[Bitpalast]

"Is this mode secure": Yes.

"How to know which ciphers is used from that server ...": How to enable debug mode of postfix - Red Hat Customer Portal
In my opinion it does not make sense to disable ciphers. You will never know what other servers want to use and what they do no want to use. When you solve this issue here, the next server might bring up the same issue with another cipher.

"Is there a fail2ban filter ...": I am afraid there is not. The "lost connection" can be caused by regular, valid users who are not doing anything after login, no logging out. If you block such IPs, you will block normal users, too, in many cases.

 

[OverWolf]

Hi Peter,

thank you for yours answers. I have checked my configuration and find the solution for the 250/220 error, so now I can send my mail via SMTP. For the ciphers, I think that if a server user "those old and insecure" ciphers, well, it isn't configured as a "good" server because I have used ciphers that they are based on Mozilla's Moderate Cipher List.

For fail2ban I have found a solution because those connections aren't from "my" valid users and especially they are consecutive (like a ddos attack).

 

[Bitpalast]

And what exactly is the solution that you found?

 

[OverWolf]

Hi Peter,

for my first issue, I've seen that Roundcube was configured to use a "bad" ciphers, so I have change $config['cipher_method'] and the problem with SMTP was gone.

For the second issue, I have explicit tls_medium_cipherlist (that is use) and now other smtp server can connect with mine.

For Fail2Ban I use this failregex: lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]. Now false users are banned.

 

[David Marques Neves]

Work around disabling stric TLS, allowing to old, not updated Exchange server (in my case) to connect to Postfix at Plesk:

In /etc/postfix/main.cf , comment lines and insert the last one, as above:

#smtpd_tls_ciphers = medium
#smtpd_tls_mandatory_ciphers = medium
#tls_medium_cipherlist = HIGH:!aNULL:!MD5
#smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
#smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2

smtpd_tls_mandatory_ciphers = low