Enabling TLSv1.2 support in postfix 2.8.2

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Enabling TLSv1.2 support in postfix 2.8.2

Burn Zero
Hi,

Currently my mail setup is using TLSv1 to connect to O365. Now that O365 has announced dropping their support for TLSv1, TLSv1.1, how to enable support for TLSv1.2 in postfix  2.8.2?

My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

It should also support TLSv1, TLSv1.1 for older clients/servers but higher level should always be TLSv1.2

How to achieve this?

I changed the below configs,

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3

But that doesn't work. Still the connection is established using TLSv1.

Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Petri Riihikallio

> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
>
> But that doesn't work. Still the connection is established using TLSv1.

Those are for smtpd or inbound connections. For outbound to O365 you need to look at smtp_ settings.

--
br, Petri
https://metis.fi/fi/petri
tel:+358400505939




Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Burn Zero
Hi,

Yea, I  got it. But even with that configuration when I connect to my server, my server is still accepting connections in TLSv1. If I disable TLSv1 in my server,

warning: TLS library problem: 21975:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

On Wed, Oct 24, 2018 at 4:45 PM Petri Riihikallio <[hidden email]> wrote:

> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
>
> But that doesn't work. Still the connection is established using TLSv1.

Those are for smtpd or inbound connections. For outbound to O365 you need to look at smtp_ settings.

--
br, Petri
https://metis.fi/fi/petri
tel:+358400505939




Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Matus UHLAR - fantomas
On 24.10.18 16:56, Burn Zero wrote:
>Yea, I  got it. But even with that configuration when I connect to my
>server, my server is still accepting connections in TLSv1. If I disable
>TLSv1 in my server,
>
>warning: TLS library problem: 21975:error:140760FC:SSL
>routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

which OS/distribution do you use?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Burn Zero
Hi,

I use CentOS 6.5

On Wed, Oct 24, 2018 at 5:01 PM Matus UHLAR - fantomas <[hidden email]> wrote:
On 24.10.18 16:56, Burn Zero wrote:
>Yea, I  got it. But even with that configuration when I connect to my
>server, my server is still accepting connections in TLSv1. If I disable
>TLSv1 in my server,
>
>warning: TLS library problem: 21975:error:140760FC:SSL
>routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

which OS/distribution do you use?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Benny Pedersen-2
In reply to this post by Burn Zero
Burn Zero skrev den 2018-10-24 13:26:

> warning: TLS library problem: 21975:error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

its not a postfix question what is supported in openssl

ssl is not tls

do not disable tlsv1

if more help is needed show logs of smtp, not smtpd

sslv2 and sslv3 can be disabled in openssl in compile time
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Viktor Dukhovni
In reply to this post by Burn Zero
On Wed, Oct 24, 2018 at 04:28:29PM +0530, Burn Zero wrote:

> Currently my mail setup is using TLSv1 to connect to O365. Now that O365
> has announced dropping their support for TLSv1, TLSv1.1, how to enable
> support for TLSv1.2 in postfix  2.8.2?
>
> My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

Support for TLS 1.2 was added in OpenSSL 1.0.2.  Postfix 2.8 supports
TLS 1.2 just fine, provided the OpenSSL it is linked with does the
same.  You need a less ancient operating system whose OpenSSL library
is at least 1.0.2.  Note that OpenSSL 1.0.1 reached end of life
last year, is no longer supported, and likely has some residual
security warts.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Richard-2
In reply to this post by Burn Zero


> Date: Wednesday, October 24, 2018 17:50:46 +0530
> From: Burn Zero <[hidden email]>
>
> Hi,
>
> I use CentOS 6.5


The current release level of Centos 6 is .10.

Centos 6.6 was released in early november 2014, so your system seems
to have gone about 4 years without updates (security and otherwise).

The current release of Centos 7, which is .5, has:
 
  openssl-libs-1.0.2k-12
  openssl-1.0.2k-12

so that would appear to provide the necessary libraries.





Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Viktor Dukhovni
In reply to this post by Viktor Dukhovni
On Wed, Oct 24, 2018 at 12:59:06PM -0400, Viktor Dukhovni wrote:

> > My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
>
> Support for TLS 1.2 was added in OpenSSL 1.0.2.

Apologies, I double-checked, and support for TLS 1.2 was in fact
added in OpenSSL 1.0.1, so your OpenSSL library should have it.

> Postfix 2.8 supports
> TLS 1.2 just fine, provided the OpenSSL it is linked with does the
> same.

And yet, the above is also true, Postfix 2.8 will use TLS 1.2 if
the underlying OpenSSL library supports it.  What was added in
Postfix 2.8.10 was the ability to *disable* TLS 1.2 if needed:

    Major changes with Postfix 2.8.10
    ---------------------------------
   
    This release adds support to turn off the TLSv1.1 and TLSv1.2
    protocols.  Introduced with OpenSSL version 1.0.1, these are known
    to cause inter-operability problems with for example hotmail.

Prior to 2.8.10, Postfix had no means to disable TLS 1.2.

> You need a less ancient operating system whose OpenSSL library
> is at least 1.0.2.  Note that OpenSSL 1.0.1 reached end of life
> last year, is no longer supported, and likely has some residual
> security warts.

You should still avoid OpenSSL 1.0.1, it was first released more
than six years ago in March of 2012 and its last update was in Nov
2016.  The 1.0.2 release was released in January of 2015 and users
should now be on either of the two 1.0.2 or 1.1.1 OpenSSL LTS
releases.

--
  Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Daniel Ryšlink
In reply to this post by Benny Pedersen-2
 > do not disable tlsv1

It was recommended to disable support of TLSv1.0 on 30th June 2018 at
the latest, because it includes vulnerable ciphers.

https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

--
Best Regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[hidden email]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 24. 10. 18 17:19, Benny Pedersen wrote:

> Burn Zero skrev den 2018-10-24 13:26:
>
>> warning: TLS library problem: 21975:error:140760FC:SSL
>> routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:
>
> its not a postfix question what is supported in openssl
>
> ssl is not tls
>
> do not disable tlsv1
>
> if more help is needed show logs of smtp, not smtpd
>
> sslv2 and sslv3 can be disabled in openssl in compile time
>
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Viktor Dukhovni
Cleartext email is even more vulnerable than TLSv1.  SMTP is not as
exposed to the various CBC issues as is HTTP.  There is no urgency
to disable TLS1 in SMTP.  It'll gradually fade away, but there's no
need to explicitly disable it at present.

> On Oct 24, 2018, at 4:25 PM, Daniel Ryšlink <[hidden email]> wrote:
>
> > do not disable tlsv1
>
> It was recommended to disable support of TLSv1.0 on 30th June 2018 at the latest, because it includes vulnerable ciphers.
>
> https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

@lbutlr
In reply to this post by Benny Pedersen-2
On Oct 24, 2018, at 09:19, Benny Pedersen <[hidden email]> wrote:
>
> do not disable tlsv1

I couldn’t disagree more. TLSv1.2 has been out for a decade and there is no reason to be running v1 or v1.1. At all.

I’ve been running with TLSv1.2 only for over a year.

--
This is my signature. There are many like it, but this one is mine.
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Benny Pedersen-2
@lbutlr skrev den 2018-10-25 00:44:
> On Oct 24, 2018, at 09:19, Benny Pedersen <[hidden email]> wrote:

>> do not disable tlsv1
> I couldn’t disagree more.

ditto here

> TLSv1.2 has been out for a decade and there
> is no reason to be running v1 or v1.1. At all

if openssl is last stable version, all problems is solved

there is no need to disable tls at all if tls 1.2 is used

> I’ve been running with TLSv1.2 only for over a year.

same here, does it help systeems that need updete openssl...
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Micah Anderson-2
In reply to this post by @lbutlr
"@lbutlr" <[hidden email]> writes:

> On Oct 24, 2018, at 09:19, Benny Pedersen <[hidden email]> wrote:
>>
>> do not disable tlsv1
>
> I couldn’t disagree more. TLSv1.2 has been out for a decade and there is no reason to be running v1 or v1.1. At all.
>
> I’ve been running with TLSv1.2 only for over a year.

How much email are you doing, and do you have logs of the cipher suites
and protocols attempted? It would be very interesting to know because on
my reasonably busy server doing several millions of messages a day I'm
finding quite a bit of older TLS and ciphers still being used.

I agree that this should change, but the best way I know to get this to
change is to get microsoft and google to agree to stop accepting any
email that is not encrypted and not using tls1.2 by May 1st, 2020. This
will move the market, so to speak and still give people plenty of time
to make it happen.

--
        micah
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Bill Cole-3
In reply to this post by @lbutlr
On 24 Oct 2018, at 18:44, @lbutlr wrote:

> On Oct 24, 2018, at 09:19, Benny Pedersen <[hidden email]> wrote:
>>
>> do not disable tlsv1
>
> I couldn’t disagree more. TLSv1.2 has been out for a decade and
> there is no reason to be running v1 or v1.1. At all.

Well, you can say that, but...

# grep 'TLS connection established from' mail.log |sed 's/^.*: \(TLSv[^
]*\).*/\1/' |sort |uniq -c
1285 TLSv1
    2 TLSv1.1
4997 TLSv1.2

So, for this atypical mail system, about 1 in 4 TLS connections can't do
v1.2. That includes machines at such sketchy places as Cloud9 (handler
of this mailing list,) BlackBaud ( many non-profits,) FictionPress
(a.k.a. FanFiction.net,) SpamCop, and AOL.

I expect that all of those will fall back to cleartext if I demand v1.2,
so mail will still work. I doubt that anyone finds the mail flow of that
server to be worth sniffing.

YMMV


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Miwa Susumu
In reply to this post by Burn Zero
Hi

2018年10月24日(水) 20:28 Burn Zero <[hidden email]>:

> Yea, I  got it. But even with that configuration when I connect to my server, my server is still accepting connections in TLSv1. If I disable TLSv1 in my server,
>
> warning: TLS library problem: 21975:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:
>
> On Wed, Oct 24, 2018 at 4:45 PM Petri Riihikallio <[hidden email]> wrote:
>>
>>
>> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
>> > smtpd_tls_protocols = !SSLv2, !SSLv3
>> >
>> > But that doesn't work. Still the connection is established using TLSv1.
>>
>> Those are for smtpd or inbound connections. For outbound to O365 you need to look at smtp_ settings.

Is network ok? :

  client <-> postfix <-> o365

s23_srvr.c said error message, so Is postfix working as a server?

Is the problem occurring in 'client <-> postfix' communication?

--
miwarin
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Bastian Blank-3
In reply to this post by @lbutlr
On Wed, Oct 24, 2018 at 04:44:19PM -0600, @lbutlr wrote:
> On Oct 24, 2018, at 09:19, Benny Pedersen <[hidden email]> wrote:
> > do not disable tlsv1
> I couldn’t disagree more. TLSv1.2 has been out for a decade and there is no reason to be running v1 or v1.1. At all.

You disable cleartext SMTP as well?

Bastian

--
Schshschshchsch.
                -- The Gorn, "Arena", stardate 3046.2
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Matus UHLAR - fantomas
In reply to this post by Burn Zero
>> On 24.10.18 16:56, Burn Zero wrote:
>> >Yea, I  got it. But even with that configuration when I connect to my
>> >server, my server is still accepting connections in TLSv1. If I disable
>> >TLSv1 in my server,
>> >
>> >warning: TLS library problem: 21975:error:140760FC:SSL
>> >routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

>On Wed, Oct 24, 2018 at 5:01 PM Matus UHLAR - fantomas <[hidden email]>
>wrote:
>> which OS/distribution do you use?

On 24.10.18 17:50, Burn Zero wrote:
>I use CentOS 6.5

I haven't find centos 6.5 nor redhat 6.5 here, but on one of our redhat 6.4
servers the postconf says:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1

so, apparently, when connecting to your server, tls1.1 and 1.2 are not
enabled. try:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

maybe this will allow new tls protocols and explain the issue.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Daniel Ryšlink
In reply to this post by Bastian Blank-3
| You disable cleartext SMTP as well?

The rationale here is that by accepting provenly insecure protocols, one provides an illusion of security, which is potentially more dangerous than transparently refuse, and fall back to plaintext delivery to preserve the functionality (which can create an incentive to upgrade from probably obsolete and unsupported software).

Moreover, mandatory TLS on public SMTP servers is prohibited as of now according to the RFC (you still MUST provide the option to fall back on plaintext delivery in case of TLS handshake failure on a public SMTP server), depreciation TLS older than 1.2 is recommended by RFC 8314 (and you CAN and SHOULD disable them).

"As soon as practicable, MSPs currently supporting Secure Sockets Layer (SSL) 2.x, SSL 3.0, or TLS 1.0 SHOULD transition their users to TLS 1.1 or later and discontinue support for those earlier versions of SSL and TLS." - RFC 8314

-- 
Best Regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[hidden email]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
----------------------------------------------- 
On 25-Oct-18 07:48, Bastian Blank wrote:
On Wed, Oct 24, 2018 at 04:44:19PM -0600, @lbutlr wrote:
On Oct 24, 2018, at 09:19, Benny Pedersen [hidden email] wrote:
do not disable tlsv1
I couldn’t disagree more. TLSv1.2 has been out for a decade and there is no reason to be running v1 or v1.1. At all. 
You disable cleartext SMTP as well?

Bastian


Reply | Threaded
Open this post in threaded view
|

Re: Enabling TLSv1.2 support in postfix 2.8.2

Matus UHLAR - fantomas
In reply to this post by Matus UHLAR - fantomas
>>>On 24.10.18 16:56, Burn Zero wrote:
>>>>Yea, I  got it. But even with that configuration when I connect to my
>>>>server, my server is still accepting connections in TLSv1. If I disable
>>>>TLSv1 in my server,
>>>>
>>>>warning: TLS library problem: 21975:error:140760FC:SSL
>>>>routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:
>
>>On Wed, Oct 24, 2018 at 5:01 PM Matus UHLAR - fantomas <[hidden email]>
>>wrote:
>>>which OS/distribution do you use?
>
>On 24.10.18 17:50, Burn Zero wrote:
>>I use CentOS 6.5

On 25.10.18 09:10, Matus UHLAR - fantomas wrote:

>I haven't find centos 6.5 nor redhat 6.5 here, but on one of our redhat 6.4
>servers the postconf says:
>
>smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>
>so, apparently, when connecting to your server, tls1.1 and 1.2 are not
>enabled. try:
>
>smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
>
>maybe this will allow new tls protocols and explain the issue.

btw, seems there are many defaults that have to be changed there:

# postconf -d |grep tls|grep proto
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_protocols = !SSLv2
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_protocols =

luckily it only applies for mandatory protocols.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig
12