guam tls settings

Milan Petrovic petrovic.milan at gmail.com
Fri Oct 18 17:14:31 CEST 2019


Well, dkim is a pain. Still cannot make it work. I also wasn't able to
harden the directory service (you'll see in the nmap output bellow), but
I'm not mad about that part... DKIM is what I spend most of my day around
as it ensures messages from your mail server wouldn't end up as a spam in
someone's mailbox.

Regarding the nmap, below is the output of the command when I run it from
my local computer. But I had to change some settings in postfix as without
those changes when Google receives email from my server they mark the
connection as unencrypted. So I had to make the following changes just so I
could have recipients from GMail/Google mail get my messages correctly:

#smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
#smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=SSLv3,TLSv1
smtpd_tls_protocols=SSLv3,TLSv1
#smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
#smtp_tls_protocols='!SSLv2,!SSLv3'
smtp_tls_mandatory_protocols=SSLv3,TLSv1
smtp_tls_protocols=SSLv3,TLSv1

I'll see how to add TLSv1.2 and TLSv1.2 at some point today, later.

Now, the nmap:
→ nmap --script ssl-enum-ciphers mail.MyServer.com

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-18 17:03 CEST
Nmap scan report for mail.MyServer.com (my.IP.add.ress)
Host is up (0.064s latency).
Not shown: 987 filtered ports
PORT      STATE  SERVICE
80/tcp    open   http
143/tcp   open   imap
389/tcp   open   ldap
443/tcp   open   https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A
465/tcp   closed smtps
587/tcp   open   submission
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     cipher preference error: Network error
|     warnings:
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A
636/tcp   closed ldapssl
993/tcp   open   imaps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
8080/tcp  closed http-proxy
8082/tcp  closed blackice-alerts
9000/tcp  closed cslistener
10024/tcp closed unknown
10025/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds

On Fri, Oct 18, 2019 at 4:58 PM David Obando <david at cryptix.net> wrote:

> Hi,
>
> I use the current stable 16.1 and didn't setup DKIM yet (but I want to).
>
> Did you check which TLS and ciphers your system offers to the world? With
> "nmap --script ssl-enum-ciphers servername" you'll get an overview.
>
>
> Best regards,
>
> d.
>
>
> Am 18.10.19 um 16:43 schrieb Milan Petrovic:
>
> My logs are the same, but I didn't find it odd. Maybe I should :)
>
> On an unrelated note: what version of Kolab do you have and have you been
> setting DKIM?
>
> On Thu, Oct 17, 2019 at 2:24 PM David Obando <david at cryptix.net> wrote:
>
>> Hi,
>>
>> unfortunately not.
>>
>> I hardenen cyrus:
>>
>> Oct 17 14:20:19 mail02 imaps[13990]: inittls: Loading hard-coded DH
>> parameters
>> Oct 17 14:20:19 mail02 imaps[13990]: starttls: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits reused) no authentication
>>
>>
>> but my server still offers TLSv1 and v1.1 plus weak ciphers.
>>
>>
>> Best regards,
>>
>> David
>>
>>
>> Am 16.10.19 um 23:27 schrieb Milan Petrovic:
>>
>> As far as my understanding is, guam is just a proxy for cyrus, so, any
>> details you define in your imapd.conf. Guam as a proxy should just be able
>> to pass through the connection.
>>
>> It's just my understanding, maybe I'm wrong.
>>
>> On Wed, Oct 16, 2019 at 4:54 PM David Obando <david at cryptix.net> wrote:
>>
>>> Hi all,
>>>
>>> I'm new to the list and about to setup a new kolab system.
>>>
>>> As I'm about to harden all services I got stuck with tweaking guams tls
>>> settings.
>>>
>>> Is there a way to at least define TLS protocol version and TLS ciphers?
>>>
>>>
>>> Thanks and best regards,
>>>
>>> David
>>>
>>>
>>>
>>> --
>>> encrypt!
>>> gpg --keyserver pgp.mit.edu --recv-keys 6A25B6A3
>>> Schl.-Fingerabdruck = 15FF 16DC 494C EABD 6DF8  B388 4EB8 056C 6A25 B6A3
>>> _______________________________________________
>>> users mailing list
>>> users at lists.kolab.org
>>> https://lists.kolab.org/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> users mailing listusers at lists.kolab.orghttps://lists.kolab.org/mailman/listinfo/users
>>
>> --
>> encrypt!
>> gpg --keyserver pgp.mit.edu --recv-keys 6A25B6A3
>> Schl.-Fingerabdruck = 15FF 16DC 494C EABD 6DF8  B388 4EB8 056C 6A25 B6A3
>>
>> _______________________________________________
>> users mailing list
>> users at lists.kolab.org
>> https://lists.kolab.org/mailman/listinfo/users
>
> --
> encrypt!
> gpg --keyserver pgp.mit.edu --recv-keys 6A25B6A3
> Schl.-Fingerabdruck = 15FF 16DC 494C EABD 6DF8  B388 4EB8 056C 6A25 B6A3
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20191018/96f8f274/attachment.html>


More information about the users mailing list