Disabling SSLv2 on Postfox 2.5.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling SSLv2 on Postfox 2.5.1

Jake Vickers-2
I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
installation (from Fedora 9 repo). Here is my postconf:

$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = mail.network.com, localhost, localhost.localdomain
myhostname = mail.network.com
mynetworks = 127.0.0.0/8, 192.168.0.0/24
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.5.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_security_options = noanonymous
smtp_tls_mandatory_protocols = !SSLv2
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/mail.network.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.network.com.key
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_received_header = yes
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_local_recipient_reject_code = 450
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf


And when I try and check (from another machine) to see if it's still active:

openssl s_client -connect 192.168.0.10:25 -ssl2

I get this:
> CONNECTED(00000003)

That means it's still answering SSLv2 correct? I am confused as to what
I may be missing to disable this. Can anyone provide any suggestions or
tips? I am using certs signed by a CA, if that makes any difference.
Thanks!


Reply | Threaded
Open this post in threaded view
|

Re: Disabling SSLv2 on Postfox 2.5.1

Barney Desmond
2009/7/24 Jake Vickers <[hidden email]>:
> I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
> installation (from Fedora 9 repo). Here is my postconf:

> $ postconf -n
<snip>
> smtpd_tls_mandatory_protocols = !SSLv2

As documented, this shouldn't be necessary:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols

> And when I try and check (from another machine) to see if it's still active:
>
> openssl s_client -connect 192.168.0.10:25 -ssl2
>
> I get this:
>>
>> CONNECTED(00000003)
>
> That means it's still answering SSLv2 correct?

Does it? It means you're getting a connection, it doesn't mean you're
getting past that point. You really want to test for TLS anyway, so
use openssl's SMTP protocol support. An example from my own TLS setup
(seeing as you haven't been forthcoming with details of your own):

% openssl s_client -connect yoshino.meidokon.net:587 -starttls smtp -ssl2
CONNECTED(00000003)
write:errno=104

It works fine if you remove the "-ssl2".
Reply | Threaded
Open this post in threaded view
|

Re: Disabling SSLv2 on Postfox 2.5.1

Jake Vickers-2
Barney Desmond wrote:
2009/7/24 Jake Vickers [hidden email]:
  
I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
installation (from Fedora 9 repo). Here is my postconf:
    

  
$ postconf -n
    
<snip>
  
smtpd_tls_mandatory_protocols = !SSLv2
    

As documented, this shouldn't be necessary:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols

  
And when I try and check (from another machine) to see if it's still active:

openssl s_client -connect 192.168.0.10:25 -ssl2

I get this:
    
CONNECTED(00000003)
      
That means it's still answering SSLv2 correct?
    

Does it? It means you're getting a connection, it doesn't mean you're
getting past that point. You really want to test for TLS anyway, so
use openssl's SMTP protocol support. An example from my own TLS setup
(seeing as you haven't been forthcoming with details of your own):

% openssl s_client -connect yoshino.meidokon.net:587 -starttls smtp -ssl2
CONNECTED(00000003)
write:errno=104

It works fine if you remove the "-ssl2".
  

That's where it confuses me on my end. You see that I have smtpd_tls_mandatory = !SSLv2 in my config (even though the documentation says I do not need it), but when I use your command I get a connection and my certificate:


jake@jake-desktop:~$ openssl s_client -connect 270.271.204.26:587 -starttls smtp -ssl2
CONNECTED(00000003)
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAqGgAwIBAgIDDBRgMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNzIyMDY1ODA0WhcNMTAwNzI0MTMwNjAw

<--snip-->

subject=/C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5   
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5
---
SSL handshake has read 1172 bytes and written 271 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 75F9B5C96A96710363065077390D449B
    Session-ID-ctx:
    Master-Key: 94D5D80849D4EBC3A89E13A25EEF4009499F04CDE5821EF8
    Key-Arg   : DC09C51C27AE4A04
    Start Time: 1248431958
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 DSN

<--end-->



This is why I am confused. I shouldn't need to turn it off, and I explicitly state to do so in the config, but it still allows SSLv2 connections.

Reply | Threaded
Open this post in threaded view
|

Re: Disabling SSLv2 on Postfox 2.5.1

Jake Vickers-2
Jake Vickers wrote:
Barney Desmond wrote:
2009/7/24 Jake Vickers [hidden email]:
  
I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
installation (from Fedora 9 repo). Here is my postconf:
    

  
$ postconf -n
    
<snip>
  
smtpd_tls_mandatory_protocols = !SSLv2
    

As documented, this shouldn't be necessary:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols

  
And when I try and check (from another machine) to see if it's still active:

openssl s_client -connect 192.168.0.10:25 -ssl2

I get this:
    
CONNECTED(00000003)
      
That means it's still answering SSLv2 correct?
    

Does it? It means you're getting a connection, it doesn't mean you're
getting past that point. You really want to test for TLS anyway, so
use openssl's SMTP protocol support. An example from my own TLS setup
(seeing as you haven't been forthcoming with details of your own):

% openssl s_client -connect yoshino.meidokon.net:587 -starttls smtp -ssl2
CONNECTED(00000003)
write:errno=104

It works fine if you remove the "-ssl2".
  

That's where it confuses me on my end. You see that I have smtpd_tls_mandatory = !SSLv2 in my config (even though the documentation says I do not need it), but when I use your command I get a connection and my certificate:


jake@jake-desktop:~$ openssl s_client -connect 270.271.204.26:587 -starttls smtp -ssl2
CONNECTED(00000003)
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAqGgAwIBAgIDDBRgMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNzIyMDY1ODA0WhcNMTAwNzI0MTMwNjAw

<--snip-->

subject=/C=CA/O=mail.network.com/OU=GT11322033/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.network.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5   
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5
---
SSL handshake has read 1172 bytes and written 271 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 75F9B5C96A96710363065077390D449B
    Session-ID-ctx:
    Master-Key: 94D5D80849D4EBC3A89E13A25EEF4009499F04CDE5821EF8
    Key-Arg   : DC09C51C27AE4A04
    Start Time: 1248431958
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 DSN

<--end-->



This is why I am confused. I shouldn't need to turn it off, and I explicitly state to do so in the config, but it still allows SSLv2 connections.



I also tried these settings (smtpd_tls_mandatory_protocols = !SSLv2) on a Debian build (running 2.3.8) with a self-signed cert and am still getting a SSLv2 connection. I'm sure I'm missing something glaringly obvious...
Reply | Threaded
Open this post in threaded view
|

Re: Disabling SSLv2 on Postfox 2.5.1

Noel Jones-2
Jake Vickers wrote:
>
> I also tried these settings (smtpd_tls_mandatory_protocols = !SSLv2) on
> a Debian build (running 2.3.8) with a self-signed cert and am still
> getting a SSLv2 connection. I'm sure I'm missing something glaringly
> obvious...


smtpd_tls_mandatory_protocols only takes effect when
smtpd_tls_security_level = encrypt.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Disabling SSLv2 on Postfox 2.5.1

Jake Vickers-2
Noel Jones wrote:

> Jake Vickers wrote:
>>
>> I also tried these settings (smtpd_tls_mandatory_protocols = !SSLv2)
>> on a Debian build (running 2.3.8) with a self-signed cert and am
>> still getting a SSLv2 connection. I'm sure I'm missing something
>> glaringly obvious...
>
>
> smtpd_tls_mandatory_protocols only takes effect when
> smtpd_tls_security_level = encrypt.
>
>
>   -- Noel Jones


Brilliant! Thanks for pointing that out. I did not see/infer that from
the documentation.

Reply | Threaded
Open this post in threaded view
|

Re: mydomain and alias questions

Rodman Frowert-2
In reply to this post by Noel Jones-2
Noel,

I understand that anything for "mydomain" is looked up in /etc/passwd which
is a type of local recipitant table.  But what if I want to feed that
"lookup system" another file in addition to the /etc/passwd file?  I was
looking at the "local_recipitant_maps" parameter but haven't quite figured
out how to get it to be used.

Basically, I would like the default local lookup done IN ADDITION to another
file I specifiy.  This way, I still get local lookups, but I can add users
to just the Postfix mail system and not to the actual Unix system.  So
anything to mail that is "mydomain" will be looked up in both tables.

Does this make sense?

Rodman


>Noel wrote:
>You must set them up with a username/password *somewhere* so they can check
>their mail. With most IMAP/POP software, that means either creating system
>users or using a "virtual" back-end such as SQL or LDAP.


>The quick and dirty way is just create system users with the login shell
>set to /bin/false or whatever so they can't actually get shell access. For
>a small number of somewhat-trusted users, that's the easy way to go.


>Dovecot can use a "passwd-like" file (manually maintained file with
>contents similar to /etc/passwd) to make local users with no system
>privileges, you might want to read up on that.



>   -- Noel Jones


Reply | Threaded
Open this post in threaded view
|

Re: mydomain and alias questions

mouss-4
please do not hijack threads. send a new message instead of replying to
an unrelated one.

Rodman Frowert a écrit :

> Noel,
>
> I understand that anything for "mydomain" is looked up in /etc/passwd
> which is a type of local recipitant table.  But what if I want to feed
> that "lookup system" another file in addition to the /etc/passwd file?
> I was looking at the "local_recipitant_maps" parameter but haven't quite
> figured out how to get it to be used.
>
> Basically, I would like the default local lookup done IN ADDITION to
> another file I specifiy.  This way, I still get local lookups, but I can
> add users to just the Postfix mail system and not to the actual Unix
> system.  So anything to mail that is "mydomain" will be looked up in
> both tables.
>

if you want virtual users, then the way to go is virtual_mailbox_domains
(after removing $mydomain from mydestination). if you still want to
deliver to unix accounts, use virtual_alias_maps to redirect
[hidden email] to [hidden email], where
localhost.example.com is listed in mydestination.

You really need to read
        http://www.postfix.org/BASIC_CONFIGURATION_README.html
        http://www.postfix.org/VIRTUAL_README.html
(at least).



> Does this make sense?
>
Reply | Threaded
Open this post in threaded view
|

Re: Disabling SSLv2 on Postfox 2.5.1

Wietse Venema
In reply to this post by Jake Vickers-2
Jake Vickers:
[ Charset UTF-8 unsupported, converting... ]

> Noel Jones wrote:
> > Jake Vickers wrote:
> >>
> >> I also tried these settings (smtpd_tls_mandatory_protocols = !SSLv2)
> >> on a Debian build (running 2.3.8) with a self-signed cert and am
> >> still getting a SSLv2 connection. I'm sure I'm missing something
> >> glaringly obvious...
> >
> >
> > smtpd_tls_mandatory_protocols only takes effect when
> > smtpd_tls_security_level = encrypt.
> >
> >
> >   -- Noel Jones
>
>
> Brilliant! Thanks for pointing that out. I did not see/infer that from
> the documentation.


man 5 postconf
...
smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)
       The  SSL/TLS  protocols accepted by the Postfix SMTP server with manda-
       tory TLS encryption.

Reply | Threaded
Open this post in threaded view
|

Re: mydomain and alias questions

Rodman Frowert-2
In reply to this post by mouss-4
Mouss wrote,

> please do not hijack threads. send a new message instead of replying to
> an unrelated one.

I started this thread.  Not sure what thread I purportedly hijacked you
are referring to.

> if you want virtual users, then the way to go is virtual_mailbox_domains
> (after removing $mydomain from mydestination). if you still want to
> deliver to unix accounts, use virtual_alias_maps to redirect
> [hidden email] to [hidden email], where
> localhost.example.com is listed in mydestination.
>
> You really need to read
> http://www.postfix.org/BASIC_CONFIGURATION_README.html
> http://www.postfix.org/VIRTUAL_README.html
> (at least).

Thanks, I'll check it out.

Reply | Threaded
Open this post in threaded view
|

Re: mydomain and alias questions

mouss-4
Rodman Frowert a écrit :
> Mouss wrote,
>
>> please do not hijack threads. send a new message instead of replying to
>> an unrelated one.
>
> I started this thread.

you replied to Noel's post (in the "Disabling SSLv2..." thread).
changing the subject is not enough:

check your post and you'll see

References: <[hidden email]>
<[hidden email]>
<[hidden email]> <[hidden email]>
<[hidden email]>


now look at Jake Vikers "Disabling SSlv2...." message and you'll see
Message-ID: <[hidden email]>

Those of us who use a threaded view see your message in the other
thread. if you do so, your message will be missed by some of the membres
 (If I ignore a thread, I won't see messages in the same thread). this
also "breaks" the archives.

> Not sure what thread I purportedly hijacked you
> are referring to.
Reply | Threaded
Open this post in threaded view
|

Re: mydomain and alias questions

Rodman Frowert-2
Gotcha...  Wasn't thinking about threaded views.  Sorry about that.

Rodman

> Rodman Frowert a écrit :
>> Mouss wrote,
>>
>>> please do not hijack threads. send a new message instead of replying to
>>> an unrelated one.
>>
>> I started this thread.
>
> you replied to Noel's post (in the "Disabling SSLv2..." thread).
> changing the subject is not enough:
>
> check your post and you'll see
>
> References: <[hidden email]>
> <[hidden email]>
> <[hidden email]> <[hidden email]>
> <[hidden email]>
>
>
> now look at Jake Vikers "Disabling SSlv2...." message and you'll see
> Message-ID: <[hidden email]>
>
> Those of us who use a threaded view see your message in the other
> thread. if you do so, your message will be missed by some of the membres
>  (If I ignore a thread, I won't see messages in the same thread). this
> also "breaks" the archives.
>
>> Not sure what thread I purportedly hijacked you
>> are referring to.
>