TLS Settings and Mobile Clients

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Settings and Mobile Clients

asai
Greetings,

We've had some trouble over the years with iOS clients not being able to
connect to our Postfix server until a reboot of the mobile client takes
place.

In trying to upstep our general security, we're trying to implement some
of the recommendations on this list:
https://access.redhat.com/articles/1468593

It seems like the bulk of this is in raising the encryption on SMTP
delivery.

One question I have is, if we implement some of these settings like,
tls_auth_only, or tls_mandatory_protocls to exclude SSLv2 and SSLv3 will
this break iOS (or any other) mobile operability?

Or, does anyone have any better general guidelines for hardening Postfix?

Thank you,
Asai

Reply | Threaded
Open this post in threaded view
|

Re: TLS Settings and Mobile Clients

Matus UHLAR - fantomas
On 03.08.20 15:25, Asai wrote:
>We've had some trouble over the years with iOS clients not being able
>to connect to our Postfix server until a reboot of the mobile client
>takes place.
>
>In trying to upstep our general security, we're trying to implement
>some of the recommendations on this list:
>https://access.redhat.com/articles/1468593

>It seems like the bulk of this is in raising the encryption on SMTP
>delivery.
>
>One question I have is, if we implement some of these settings like,
>tls_auth_only, or tls_mandatory_protocls to exclude SSLv2 and SSLv3
>will this break iOS (or any other) mobile operability?
>
>Or, does anyone have any better general guidelines for hardening Postfix?

to allow clients you should enable ports submission (587) and submissions
(465) in master.cf.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
Reply | Threaded
Open this post in threaded view
|

Re: TLS Settings and Mobile Clients

asai

> to allow clients you should enable ports submission (587) and submissions
> (465) in master.cf.

Thanks for your reply.  We are already doing that.  The main question is
just what will break if we allow TLS only.  Do you have any experience
with this?

Thank you,

Asai

Reply | Threaded
Open this post in threaded view
|

Re: TLS Settings and Mobile Clients

Benny Pedersen-2
Asai skrev den 2020-08-06 00:08:
>> to allow clients you should enable ports submission (587) and
>> submissions
>> (465) in master.cf.
>
> Thanks for your reply.  We are already doing that.  The main question
> is just what will break if we allow TLS only.  Do you have any
> experience with this?

nothing will break if tlsv1.1 is disabled, so end result is to not
support sslv2, sslv3, tlsv1.1, all enabled is then tlsv1.0 tlsv1.2
tlsv1.3 if availble in openssl

disable tlsv1.0 tlsv1.1 will break windows 7, but its unsupported so if
none use tlsv1.0 its safe to disabled it

overall details is more complicated
Reply | Threaded
Open this post in threaded view
|

Re: TLS Settings and Mobile Clients

@lbutlr
In reply to this post by asai
On 05 Aug 2020, at 16:08, Asai <[hidden email]> wrote:
> The main question is just what will break if we allow TLS only.

Software more than a decade old that is unsupported.

TLSv1.0 and 1.1 should no longer be used for anything but opportunistic unvalidated encryption on port 25, no non TLS should be used under any circumstances.





--
I WILL NOT CALL MY TEACHER "HOT CAKES" Bart chalkboard Ep. 7G10

Reply | Threaded
Open this post in threaded view
|

Re: TLS Settings and Mobile Clients

Viktor Dukhovni
In reply to this post by Benny Pedersen-2
On Mon, Aug 03, 2020 at 03:25:22PM -0700, Asai wrote:

> In trying to upstep our general security, we're trying to implement some
> of the recommendations on this list:
> https://access.redhat.com/articles/1468593
>
> It seems like the bulk of this is in raising the encryption on SMTP
> delivery.

You should be more explicit about whether you're asking about incoming
mail or outgoing mail.  But you mentioned iOS clients, I will assume
you're only asking about inbound submission.

> One question I have is, if we implement some of these settings like,
> tls_auth_only, or tls_mandatory_protocls to exclude SSLv2 and SSLv3 will
> this break iOS (or any other) mobile operability?

- Yes, SASL auth should only be offered via STARTLS and only port 587
  (and if applicable also 465).
- Yes, clients that were misconfigured to not use TLS might then not be
  able to submit email, but they need to be configured correctly, rather
  than neglected.
- Yes, on the *submission* ports serving mail clients, you SHOULD
  disable all TLS versions older than TLSv1.2.  This may break
  some rather dated versions of Outlook.  These should be upgraded,
  rather than neglected.  I would not expect any issues with iOS.

> Or, does anyone have any better general guidelines for hardening Postfix?

Be judicious, excessive hardening is often counterproductive.  The
documentation and default settings are your best guides, more so that
something some guy said on the Internet.

On Thu, Aug 06, 2020 at 01:14:35AM +0200, Benny Pedersen wrote:

> > Thanks for your reply.  We are already doing that.  The main question
> > is just what will break if we allow TLS only.  Do you have any
> > experience with this?
>
> nothing will break if TLSv1.1 is disabled, so end result is to not
> support SSLv2, SSLv3, TLSv1.1, all enabled is then TLSv1 and TLSv1.2

This is true inbound, but NOT true outbound, when you disable SSLv2,
SSLv3 and TLSv1.1, *all* you're left with is TLSv1.  The TLS client
(Postfix outbound SMTP delivery agent) protocol range needs to be
contiguous.  DO NOT "punch holes" in the protocol list.

Do NOT disable TLSv1.1 (even though largely unused, it does no harm, and
is not worse than TLSv1) unless you also disable all the older versions,
leaving only TLSv1.2 (and TLSv1.3 if your OpenSSL runtime is new
enough).

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: TLS Settings and Mobile Clients

@lbutlr
On 06 Aug 2020, at 02:09, Viktor Dukhovni <[hidden email]> wrote:
> - Yes, on the *submission* ports serving mail clients, you SHOULD
>  disable all TLS versions older than TLSv1.2.  This may break
>  some rather dated versions of Outlook.  These should be upgraded,
>  rather than neglected.  I would not expect any issues with iOS.

It may ne possible that a very old device running something like iOS 4 or maybe 5 does not support TLS1.2, but it is very unlikely anyone is using a device that old, and they are not able to check mail with most providers.

(I know for certain that iOS 8 supported TLSv1.2, but I am unsure what version of iOS added support for it, I would guess it was around iOS 6. TLSv1.3 was added in iOS 11.)





--
There used to be such simple directions, back in the days before they
        invented parallel universes - Up and Down, Right and Left,
        Backward and Forward, Past and Future... But normal directions
        don't work in the multiverse, which has far too many dimensions
        for anyone to find their way. So new ones have to be invented so
        that the way can be found. Like: East of the Sun, West of the
        Moon Or: Behind the North Wind. Or: At the Back of Beyond. Or:
        There and Back Again. Or: Beyond the Fields We Know. --Lords and
        Ladies