From: aaronkaplan Date: Wed, 2 Mar 2016 08:45:40 +0000 (+0100) Subject: update postfix settings due to DROWN attack X-Git-Url: https://git.bettercrypto.org/ach-master.git/commitdiff_plain/28181c9c1c3d56315b942703f05e2f132f204855 update postfix settings due to DROWN attack --- diff --git a/src/configuration/MailServers/Postfix/main.cf b/src/configuration/MailServers/Postfix/main.cf index cd7b9b0..11934b3 100644 --- a/src/configuration/MailServers/Postfix/main.cf +++ b/src/configuration/MailServers/Postfix/main.cf @@ -32,7 +32,16 @@ smtp_tls_loglevel = 1 smtpd_tls_auth_only = yes tls_ssl_options = NO_COMPRESSION +# be explicit about turning off SSLv2 / v3 due to the DROWN attack +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtp_tls_protocols = !SSLv2, !SSLv3 + +lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 +lmtp_tls_protocols = !SSLv2, !SSLv3 + smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_protocols = !SSLv2, !SSLv3 + smtpd_tls_mandatory_ciphers=high tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA smtpd_tls_eecdh_grade=ultra diff --git a/src/practical_settings/mailserver.tex b/src/practical_settings/mailserver.tex index bafe904..2534046 100644 --- a/src/practical_settings/mailserver.tex +++ b/src/practical_settings/mailserver.tex @@ -17,7 +17,7 @@ Office Protocol (POP). As MSAs and MTAs both use SMTP as transfer protocols, both functionalities may often may be implemented with the same software. On the other hand, MDA software -may or may not implement both IMAP and POP. +might or might not implement both IMAP and POP. %% ---------------------------------------------------------------------- \subsection{TLS usage in mail server protocols} @@ -50,6 +50,8 @@ We recommend to use the following settings for Mail Transfer Agents: \item do not use self signed certificates \item accept all cipher suites, as the alternative would be to fall back to cleartext transmission + \item an execption to the last sentence is that MTAs \textit{MUST NOT} + enable SSLv2 protocol support, due to the DROWN attack\footnote{\url{https://drownattack.com/drown-attack-paper.pdf}}. \end{itemize*} For MSA operation we recommend: @@ -58,7 +60,7 @@ For MSA operation we recommend: \item optionally listen on port 465 with Implicit TLS \item enforce SMTP AUTH even for local networks \item ensure that SMTP AUTH is not allowed on unencrypted connections - \item use the recommended cipher suites if all connecting MUAs support them + \item only use the recommended cipher suites if all connecting MUAs support them \end{itemize*} For MDA operation we recommend: @@ -69,6 +71,7 @@ For MDA operation we recommend: \item enforce authentication even for local networks \item make sure that authentication is not allowed on unencrypted connections \item use the recommended cipher suites if all connecting MUAs support them + \item turn off SSLv2 (DROWN attack\footnote{\url{https://drownattack.com/drown-attack-paper.pdf}}) \end{itemize*} %% ---------------------------------------------------------------------- @@ -245,7 +248,7 @@ For the MSA \verb|smtpd| process which communicates with mail clients, we first define the ciphers that are acceptable for the ``mandatory'' security level, again in \verb|main.cf|: -\configfile{main.cf}{35-37}{MSA TLS configuration in Postfix} +\configfile{main.cf}{36-45}{MSA TLS configuration in Postfix} Then, we configure the MSA smtpd in \verb|master.cf| with two additional options that are only used for this instance of smtpd: @@ -253,7 +256,7 @@ additional options that are only used for this instance of smtpd: \configfile{master.cf}{12-14}{MSA smtpd service configuration in Postfix} For those users who want to use EECDH key exchange, it is possible to customize this via: -\configfile{main.cf}{38-38}{EECDH customization in Postfix} +\configfile{main.cf}{46-46}{EECDH customization in Postfix} The default value since Postfix 2.8 is ``strong''. \subsubsection{Limitations}