Postfix with individual 2048bit DH group for PFS without Logjam, Poodle, FREAK

[chris_cross]

Dear colleagues,
I tried to harden our plesk servers and encountered a problem with switching to individual dh keys.
We are running Postfix version 2.9.6-2 on Debian 7 boxes with Plesk 12.

First I removed SSLv3 and limited the Ciphers as proposed on the Guide to Deploying Diffie-Hellman for TLS. All excluded Ciphers won't be served. Never the less the newly created individual 2048bit DH key under /etc/ssl/dhparam.pem would not be used.

The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.

So I was wondering what is missing. I checked the postfix documentation, but could not find further help there.

I´ve kept the master.cf as is and changed the main.cf to this:

smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_cert_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_key_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem # this is an individual 2048bit key
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_ciphers = high

Do I have to modify the master.cf as well?
Here I found entries for every domain/ip:

plesk-domainname.com-1.2.3.4 - unix - n n - - smtp -o smtp_bind_address=1.2.3.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domainname.com

Do I have to add the -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file to those entries? I want to keep the setting permanent. I experienced in the past, that plesk tends to overwrite the setting I´ve made.

Does someone have a "best practise" for Postfix with Plesk for high security?
Finally I want to use only TLS1 - TLS1.2, secure ciphers and 2048 Diffie-Hellmann keys.

Thanks

Chris

 

[UFHH01]

Hi chris_cross,

The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.

Could you please explain, what makes you think, that your test - "tool" acts like a client and will perform a "starttls" command, so that your mail-server would respond with a procedure to negotiate the encryption method and the cipher usage? If this would be the case, then you would see such a request in your mail.log, as for example:

May 30 00:00:01 servername postfix/smtpd[12345]: connect from servername.domain.com[123.123.123.123]
May 30 00:00:01 servername postfix/smtpd[12345]: Anonymous TLS connection established from servername.domain.com[123.123.123.123]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

If the test "tool" doesn't negotiate encryption and cipher, then you will see:

May 30 00:00:01 servername postfix/smtpd[14453]: connect from servername.domain.com[123.123.123.123]
May 30 00:00:01 servername postfix/smtpd[14453]: lost connection after UNKNOWN from servername.domain.com[123.123.123.123]

You seem to think, that a mail-server acts the same way as a webserver, when using your test "tool". But this is not the case. Please use instead the openssl client to check:

for SMTP:
openssl s_client -CApath /etc/postfix/certs/ssl-cert-and-key.pem -starttls smtp -crlf -connect localhost:25 ( "localhost" can as well be the desired IP, or DOMAIN.COM )

for POP3:
openssl s_client -CApath /path/to/your/server_and_chain_certificate.pem -starttls pop3 -crlf -connect localhost:110 ( "localhost" can as well be the desired IP, or DOMAIN.COM )

for IMAP:
openssl s_client -CApath /path/to/your/server_and_chain_certificate.pem -starttls imap -crlf -connect localhost:143 ( "localhost" can as well be the desired IP, or DOMAIN.COM )​

Please check as well with "sslscan DOMAIN.COM | grep Accepted" for unsecure cipher suites ( if you don't already have "sslcan" installed, please use "apt-get install sslscan" ).


As an addition, you might use "tls_preempt_cipherlist = yes" to ignore some remote SMTP clients preference to use cipher suites without forward secrecy and force them to use - but please be aware that this may cause issues/problems with some older Exchange servers.


The recommended usage is indeed, to define in "master.cf"

        -o smtpd_tls_dh1024_param_file=${config_directory}/dhparam.pem
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes

... where "${config_directory}/" could as well cause issues/problems, so that the full path is recommended ( in your case: "/etc/ssl/dhparam.pem" ).


To complete my recommendations, I add a full example, for a server with at least 2 IPs:

# ================================================================================
plesk-first-DOMAIN.COM-123.123.123.123- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/your_full_path/to_your/crt_or_key/mail.first-DOMAIN.COM.key
    -o smtpd_tls_cert_file=/your_full_path/to_your/crt_or_key/mail.first-DOMAIN.COM.crt
    -o smtp_bind_address=123.123.123.123
    -o smtp_bind_address6=2001:0ab18:12a3:0000:0000:1a2e:0000:0001
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=first-DOMAIN.COM
    -o myhostname=mail.first-DOMAIN.COM
# ================================================================================
plesk-second-DOMAIN.COM-123.123.123.124- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/your_full_path/to_your/crt_or_key/mail.second-DOMAIN.COM.key
    -o smtpd_tls_cert_file=/your_full_path/to_your/crt_or_key/mail.second-DOMAIN.COM.crt
    -o smtp_bind_address=123.123.123.124
    -o smtp_bind_address6=2001:0ab18:12a3:0000:0000:1a2e:0000:0002
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=second-DOMAIN.COM
    -o myhostname=mail.second-DOMAIN.COM
# ================================================================================

Please always make a backup of your current working "main.cf" and "master.cf", because Plesk may indeed overwrite some settings/definitions, during updates/upgrades or patches!​

As well, I would like to link to "http://www.postfix.org/FORWARD_SECRECY_README.html" for more informations about "forward secrecy" and postfix.

 

[chris_cross]

Thanks for your reply. I did not get the notification, so sorry for the delayed reply.
Besides the online tool I used a self written shell script using openssl s_client and gutls for verification similar to what you proposed.

The important hint has been the proper use of the master.cf.

Thanks!