<div dir="ltr"><div>Well, dkim is a pain. Still cannot make it work. I also wasn't able to harden the directory service (you'll see in the nmap output bellow), but I'm not mad about that part... DKIM is what I spend most of my day around as it ensures messages from your mail server wouldn't end up as a spam in someone's mailbox.<br></div><div><br></div><div>Regarding the nmap, below is the output of the command when I run it from my local computer. But I had to change some settings in postfix as without those changes when Google receives email from my server they mark the connection as unencrypted. So I had to make the following changes just so I could have recipients from GMail/Google mail get my messages correctly:</div><div><br></div><div>#smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3<br>#smtpd_tls_protocols=!SSLv2,!SSLv3<br>smtpd_tls_mandatory_protocols=SSLv3,TLSv1<br>smtpd_tls_protocols=SSLv3,TLSv1<br>#smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'<br>#smtp_tls_protocols='!SSLv2,!SSLv3'<br>smtp_tls_mandatory_protocols=SSLv3,TLSv1<br>smtp_tls_protocols=SSLv3,TLSv1 </div><div><br></div><div>I'll see how to add TLSv1.2 and TLSv1.2 at some point today, later.</div><div><br></div><div>Now, the nmap:<br></div><div>→ nmap --script ssl-enum-ciphers <a href="http://mail.MyServer.com">mail.MyServer.com</a><br><br>Starting Nmap 7.60 ( <a href="https://nmap.org">https://nmap.org</a> ) at 2019-10-18 17:03 CEST<br>Nmap scan report for <a href="http://mail.MyServer.com">mail.MyServer.com</a> (my.IP.add.ress)<br>Host is up (0.064s latency).<br>Not shown: 987 filtered ports<br>PORT STATE SERVICE<br>80/tcp open http<br>143/tcp open imap<br>389/tcp open ldap<br>443/tcp open https<br>| ssl-enum-ciphers: <br>| TLSv1.2: <br>| ciphers: <br>| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A<br>| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A<br>| compressors: <br>| NULL<br>| cipher preference: client<br>|_ least strength: A<br>465/tcp closed smtps<br>587/tcp open submission<br>| ssl-enum-ciphers: <br>| SSLv3: <br>| ciphers: <br>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A<br>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A<br>| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A<br>| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A<br>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A<br>| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A<br>| compressors: <br>| NULL<br>| cipher preference: server<br>| cipher preference error: Network error<br>| warnings: <br>| CBC-mode cipher in SSLv3 (CVE-2014-3566)<br>| Key exchange (dh 1024) of lower strength than certificate key<br>| TLSv1.0: <br>| ciphers: <br>| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 1024) - A<br>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A<br>| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 1024) - A<br>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A<br>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A<br>| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A<br>| compressors: <br>| NULL<br>| cipher preference: server<br>| warnings: <br>| Key exchange (dh 1024) of lower strength than certificate key<br>|_ least strength: A<br>636/tcp closed ldapssl<br>993/tcp open imaps<br>| ssl-enum-ciphers: <br>| TLSv1.0: <br>| ciphers: <br>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C<br>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A<br>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C<br>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A<br>| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C<br>| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A<br>| compressors: <br>| NULL<br>| cipher preference: client<br>| warnings: <br>| 64-bit block cipher 3DES vulnerable to SWEET32 attack<br>| TLSv1.1: <br>| ciphers: <br>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C<br>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A<br>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C<br>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A<br>| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C<br>| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A<br>| compressors: <br>| NULL<br>| cipher preference: client<br>| warnings: <br>| 64-bit block cipher 3DES vulnerable to SWEET32 attack<br>| TLSv1.2: <br>| ciphers: <br>| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C<br>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A<br>| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A<br>| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C<br>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (brainpoolP256r1) - A<br>| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (brainpoolP256r1) - A<br>| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C<br>| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A<br>| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A<br>| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A<br>| compressors: <br>| NULL<br>| cipher preference: client<br>| warnings: <br>| 64-bit block cipher 3DES vulnerable to SWEET32 attack<br>|_ least strength: C<br>8080/tcp closed http-proxy<br>8082/tcp closed blackice-alerts<br>9000/tcp closed cslistener<br>10024/tcp closed unknown<br>10025/tcp closed unknown<br><br>Nmap done: 1 IP address (1 host up) scanned in 14.73 seconds</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 18, 2019 at 4:58 PM David Obando <<a href="mailto:david@cryptix.net">david@cryptix.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi,</p>
<p>I use the current stable 16.1 and didn't setup DKIM yet (but I
want to).</p>
<p>Did you check which TLS and ciphers your system offers to the
world? With "nmap --script ssl-enum-ciphers servername" you'll get
an overview.</p>
<p><br>
</p>
<p>Best regards,</p>
<p>d.<br>
</p>
<p><br>
</p>
<div>Am 18.10.19 um 16:43 schrieb Milan
Petrovic:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>My logs are the same, but I didn't find it odd. Maybe I
should :)</div>
<div><br>
</div>
<div>On an unrelated note: what version of Kolab do you have and
have you been setting DKIM?<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Oct 17, 2019 at 2:24
PM David Obando <<a href="mailto:david@cryptix.net" target="_blank">david@cryptix.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi,</p>
<p>unfortunately not.</p>
<p>I hardenen cyrus:</p>
<p>Oct 17 14:20:19 mail02 imaps[13990]: inittls: Loading
hard-coded DH parameters<br>
Oct 17 14:20:19 mail02 imaps[13990]: starttls: TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits
reused) no authentication</p>
<p><br>
</p>
<p>but my server still offers TLSv1 and v1.1 plus weak
ciphers.</p>
<p><br>
</p>
<p>Best regards,</p>
<p>David<br>
</p>
<p><br>
</p>
<div>Am 16.10.19 um 23:27 schrieb Milan Petrovic:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>As far as my understanding is, guam is just a proxy
for cyrus, so, any details you define in your
imapd.conf. Guam as a proxy should just be able to
pass through the connection.</div>
<div><br>
</div>
<div>It's just my understanding, maybe I'm wrong.<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Oct 16, 2019
at 4:54 PM David Obando <<a href="mailto:david@cryptix.net" target="_blank">david@cryptix.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br>
<br>
I'm new to the list and about to setup a new kolab
system.<br>
<br>
As I'm about to harden all services I got stuck with
tweaking guams tls<br>
settings.<br>
<br>
Is there a way to at least define TLS protocol version
and TLS ciphers?<br>
<br>
<br>
Thanks and best regards,<br>
<br>
David<br>
<br>
<br>
<br>
-- <br>
encrypt!<br>
gpg --keyserver <a href="http://pgp.mit.edu" rel="noreferrer" target="_blank">pgp.mit.edu</a> --recv-keys
6A25B6A3<br>
Schl.-Fingerabdruck = 15FF 16DC 494C EABD 6DF8 B388
4EB8 056C 6A25 B6A3<br>
_______________________________________________<br>
users mailing list<br>
<a href="mailto:users@lists.kolab.org" target="_blank">users@lists.kolab.org</a><br>
<a href="https://lists.kolab.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.kolab.org/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
users mailing list
<a href="mailto:users@lists.kolab.org" target="_blank">users@lists.kolab.org</a>
<a href="https://lists.kolab.org/mailman/listinfo/users" target="_blank">https://lists.kolab.org/mailman/listinfo/users</a></pre>
</blockquote>
<pre cols="72">--
encrypt!
gpg --keyserver <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a> --recv-keys 6A25B6A3
Schl.-Fingerabdruck = 15FF 16DC 494C EABD 6DF8 B388 4EB8 056C 6A25 B6A3</pre>
</div>
_______________________________________________<br>
users mailing list<br>
<a href="mailto:users@lists.kolab.org" target="_blank">users@lists.kolab.org</a><br>
<a href="https://lists.kolab.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.kolab.org/mailman/listinfo/users</a></blockquote>
</div>
</blockquote>
<pre cols="72">--
encrypt!
gpg --keyserver <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a> --recv-keys 6A25B6A3
Schl.-Fingerabdruck = 15FF 16DC 494C EABD 6DF8 B388 4EB8 056C 6A25 B6A3</pre>
</div>
</blockquote></div>