• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Postfix with individual 2048bit DH group for PFS without Logjam, Poodle, FREAK

C

chris_cross

New Pleskian
Dear colleagues,
I tried to harden our plesk servers and encountered a problem with switching to individual dh keys.
We are running Postfix version 2.9.6-2 on Debian 7 boxes with Plesk 12.

First I removed SSLv3 and limited the Ciphers as proposed on the Guide to Deploying Diffie-Hellman for TLS. All excluded Ciphers won't be served. Never the less the newly created individual 2048bit DH key under /etc/ssl/dhparam.pem would not be used.

The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.

So I was wondering what is missing. I checked the postfix documentation, but could not find further help there.

I´ve kept the master.cf as is and changed the main.cf to this:

smtpd_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_cert_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_key_file=/opt/psa/admin/conf/httpsd.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem # this is an individual 2048bit key
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_ciphers = high

Do I have to modify the master.cf as well?
Here I found entries for every domain/ip:

plesk-domainname.com-1.2.3.4 - unix - n n - - smtp -o smtp_bind_address=1.2.3.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=domainname.com

Do I have to add the -o smtpd_tls_dh1024_param_file=$submission_tls_dh1024_param_file to those entries? I want to keep the setting permanent. I experienced in the past, that plesk tends to overwrite the setting I´ve made.

Does someone have a "best practise" for Postfix with Plesk for high security?
Finally I want to use only TLS1 - TLS1.2, secure ciphers and 2048 Diffie-Hellmann keys.

Thanks

Chris
 
Hi chris_cross,

chris_cross said:
The test-tool: https://tools.keycdn.com/logjam can check for ports. So when I check port 25, I get the message, that the server is not vulnerable, but that I should turn on ECDH.
Click to expand...

Could you please explain, what makes you think, that your test - "tool" acts like a client and will perform a "starttls" command, so that your mail-server would respond with a procedure to negotiate the encryption method and the cipher usage? If this would be the case, then you would see such a request in your mail.log, as for example:
Code: 
May 30 00:00:01 servername postfix/smtpd[12345]: connect from servername.domain.com[123.123.123.123]
May 30 00:00:01 servername postfix/smtpd[12345]: Anonymous TLS connection established from servername.domain.com[123.123.123.123]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
If the test "tool" doesn't negotiate encryption and cipher, then you will see:
Code: 
May 30 00:00:01 servername postfix/smtpd[14453]: connect from servername.domain.com[123.123.123.123]
May 30 00:00:01 servername postfix/smtpd[14453]: lost connection after UNKNOWN from servername.domain.com[123.123.123.123]


You seem to think, that a mail-server acts the same way as a webserver, when using your test "tool". But this is not the case. Please use instead the openssl client to check:

for SMTP:
openssl s_client -CApath /etc/postfix/certs/ssl-cert-and-key.pem -starttls smtp -crlf -connect localhost:25 ( "localhost" can as well be the desired IP, or DOMAIN.COM )

for POP3:
openssl s_client -CApath /path/to/your/server_and_chain_certificate.pem -starttls pop3 -crlf -connect localhost:110 ( "localhost" can as well be the desired IP, or DOMAIN.COM )

for IMAP:
openssl s_client -CApath /path/to/your/server_and_chain_certificate.pem -starttls imap -crlf -connect localhost:143 ( "localhost" can as well be the desired IP, or DOMAIN.COM )


Please check as well with "sslscan DOMAIN.COM | grep Accepted" for unsecure cipher suites ( if you don't already have "sslcan" installed, please use "apt-get install sslscan" ).


As an addition, you might use "tls_preempt_cipherlist = yes" to ignore some remote SMTP clients preference to use cipher suites without forward secrecy and force them to use - but please be aware that this may cause issues/problems with some older Exchange servers.


The recommended usage is indeed, to define in "master.cf"
Code: 
        -o smtpd_tls_dh1024_param_file=${config_directory}/dhparam.pem
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
... where "${config_directory}/" could as well cause issues/problems, so that the full path is recommended ( in your case: "/etc/ssl/dhparam.pem" ).


To complete my recommendations, I add a full example, for a server with at least 2 IPs:
Code: 
# ================================================================================
plesk-first-DOMAIN.COM-123.123.123.123- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/your_full_path/to_your/crt_or_key/mail.first-DOMAIN.COM.key
    -o smtpd_tls_cert_file=/your_full_path/to_your/crt_or_key/mail.first-DOMAIN.COM.crt
    -o smtp_bind_address=123.123.123.123
    -o smtp_bind_address6=2001:0ab18:12a3:0000:0000:1a2e:0000:0001
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=first-DOMAIN.COM
    -o myhostname=mail.first-DOMAIN.COM
# ================================================================================
plesk-second-DOMAIN.COM-123.123.123.124- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/your_full_path/to_your/crt_or_key/mail.second-DOMAIN.COM.key
    -o smtpd_tls_cert_file=/your_full_path/to_your/crt_or_key/mail.second-DOMAIN.COM.crt
    -o smtp_bind_address=123.123.123.124
    -o smtp_bind_address6=2001:0ab18:12a3:0000:0000:1a2e:0000:0002
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=second-DOMAIN.COM
    -o myhostname=mail.second-DOMAIN.COM
# ================================================================================

Please always make a backup of your current working "main.cf" and "master.cf", because Plesk may indeed overwrite some settings/definitions, during updates/upgrades or patches!



As well, I would like to link to "http://www.postfix.org/FORWARD_SECRECY_README.html" for more informations about "forward secrecy" and postfix.
 
Thanks for your reply. I did not get the notification, so sorry for the delayed reply.
Besides the online tool I used a self written shell script using openssl s_client and gutls for verification similar to what you proposed.

The important hint has been the proper use of the master.cf.

Thanks!
 
You must log in or register to reply here.

Similar threads

O
Resolved Two words about Postfix and SSL/TLS
Replies
5
Views
9K
David Marques Neves
David Marques Neves
Back
Top