possible to reach hardenize's requirements?

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: possible to reach hardenize's requirements?

Ralph Seichter-2
* Dominic Raferd:

> I think hardenize is hitting my server too hard and maybe that is why
> it is (wrongly) saying there is a problem with the server

Hardenize's first test run caused my fail2ban setup to silently ban the
IPs where the probing originated. Still, even with fail2ban disabled,
TLS is mistakenly reported as "not implemented".

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: possible to reach hardenize's requirements?

Ralph Seichter-2
In reply to this post by Viktor Dukhovni
* Viktor Dukhovni:

> over IPv6 your SMTP server does have a rather noticeable pre-greet
> delay

Thanks for checking. While the server is moving north of 80 Mbyte/s of
network traffic (evenly spread between in- and outbound) over thousands
of connections, I don't know if that might be a possible reason for the
delay you observed?

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: possible to reach hardenize's requirements?

Wietse Venema
In reply to this post by @lbutlr
@lbutlr:

> On 13 Apr 2019, at 00:57, Dominic Raferd <[hidden email]> =
> wrote:
> > I too find that hardenize complains about my STARTTLS without any =
> details as to why. Like @lbutlr (and most of us) I offer STARTTLS on =
> port 25 but not AUTH. However I see this message in my log after the =
> test ran, I think hardenize is hitting my server too hard and maybe that =
> is why it is (wrongly) saying there is a problem with the server:
> >=20
> > 2019-04-13 07:36:23 streamingbats postfix/smtpd[19724]: warning: =
> Connection rate limit exceeded: 31 from =
> outbound.hardenize.com[18.233.176.231] for service smtp
>
> Checking my logs:
>
> postfix/smtpd[45229]: connect from outbound.hardenize.com[18.233.176.231]
> postfix/smtpd[45229]: SSL_accept error from outbound.hardenize.com[18.233.176.231]: -1
> postfix/smtpd[45229]: lost connection after STARTTLS from outbound.hardenize.com[18.233.176.231]
> postfix/smtpd[45229]: disconnect from outbound.hardenize.com[18.233.176.231] ehlo=1 starttls=0/1 ...

Same here. Speculation: they require PKI certificate verification.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: possible to reach hardenize's requirements?

Viktor Dukhovni


> On Apr 13, 2019, at 10:23 AM, Wietse Venema <[hidden email]> wrote:
>
>> postfix/smtpd[45229]: connect from 3[18.233.176.231]
>> postfix/smtpd[45229]: SSL_accept error from outbound.hardenize.com[18.233.176.231]: -1
>> postfix/smtpd[45229]: lost connection after STARTTLS from outbound.hardenize.com[18.233.176.231]
>> postfix/smtpd[45229]: disconnect from outbound.hardenize.com[18.233.176.231] ehlo=1 starttls=0/1 ...
>
> Same here. Speculation: they require PKI certificate verification.

One might also speculate that they try various ciphers and protocols, some of which
don't pan out.  The only way to determine which ciphers a server supports is to
try lots of connections, servers don't send their complete cipherlist to clients,
they only send the one cipher they accepted.  Ditto with protocol versions.

So one would expect a failed handshake any time an unsupported cipher or protocol
is tested.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: possible to reach hardenize's requirements?

Ivan Ristic
In reply to this post by Micah Anderson-2
Hello list,

I am the founder/developer of Hardenize. I was alerted to this thread by one or two participants (thanks!) and I thought it would be a good idea to join the list to respond. (I don't have an earlier email from the same thread to respond to, but perhaps reusing the same subject may do the trick.) I've read the entire thread and here are my thoughts:

- Wherever you're seeing unexpected results, the root cause is probably some sort of server throttling of our connections. To discover all supported TLS suites we need one connection per suite, and then we do that for each protocol separately. If in doubt, whitelist outbound.hardenize.com and try again.

- At present our report tries to be factual, without any recommendations except for the obvious. As a rule of thumb, if the report card (left) shows orange or red, that's because something is broken or clearly insecure. We may show additional orange and red on the right, but we often do that to call out some insecure elements. For example, TLS 1.0 as a protocol is weak and we need to call it out as such, even if it's all right (or acceptable) to use with SMTP.

- As a rule of thumb, I think it would be very difficult for a commercially-viable operation to eliminate all the warnings.

- When it comes to SMTP and TLS, we think that servers should support modern protocols (so TLS 1.2 or better) with forward secrecy. That's pretty much it, except for some protocol elements that are so dangerous that could be used to compromise other servers (e.g., HTTPS). We have different (stricter) requirements when MTA-STS is enabled.

- Re DMARC, at this point I believe we factually report on whether DMARC is supported, without endorsing a particular configuration. When we start to recommend it, we will add more content to describe the caveats.

If you have specific objections and recommendations, I'd appreciate it if you could open a ticket here https://github.com/hardenize/hardenize-public/issues and we'd be happy to discuss and learn. Please have in mind that our report is by no means complete today; we're on a journey and we have a pretty long to-do list internally of things we wish to work on and improve.

Many thanks.

--
Ivan
12