Fix RFC 7919 for Postfix

Discussion in 'Tips/Tricks/Mods' started by SpeedyB, Jun 23, 2020.

  1. SpeedyB

    SpeedyB Member HowtoForge Supporter

    Hello,

    I was searching for a while how to solve an issue I had with the Key Exchange Paramaters failing in the test.
    [​IMG]
    All postfix guides point you to self generate the dh challenge to 2048 which is not deemed safe anymore.
    The line used is this: openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    when you try to up this to 4096 it will not make any change since according to RFC 7919 DH is no longer safe.

    After a lot of trials and errors I have found a solution which is working for me.. and is is so simple... (if you download the correct file)

    I downloaded this file: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem

    Modified the main.cf to reflect this:
    smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe4096.pem

    Code:
    cd /etc/postfix
    wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
    chmod 644 ffdhe4096.pem
    postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/ffdhe4096.pem"
    service postfix restart
    I really would have liked to get this working with the elliptic curves which are good instead of sufficient but after a lot of trials and errors this was the best I could do at this moment.

    For other services:
    Dovecot:
    Code:
    vi /etc/dovecot/dovecot.conf
    #replace the line starting with ssl_dh with
    ssl_dh = </etc/postfix/ffdhe4096.pem
    Restart Dovecot
    Code:
    service dovecot restart
    
    For Apache, there was a lot more wrong (at least in my config)
    Added to /etc/apache2/apache2.conf
    Code:
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLOpenSSLConfCmd DHParameters /etc/postfix/ffdhe4096.pem
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression      off
    SSLSessionTickets   off
    
    Restart Apache
    Code:
    service apache2 restart
    
    PureFTPd:
    Code:
    cp /etc/postfix/ffdhe4096.pem /etc/ssl/private/pure-ftpd-dhparams.pem
    service pure-ftpd-mysql restart
    
     
    Last edited: Jun 24, 2020
    Steini86, Jesse Norell and Th0m like this.
  2. Steini86

    Steini86 Active Member

    Good point.
    Don't forget to use the file also for apache/dovecot and/or other services you are using!
     
  3. SpeedyB

    SpeedyB Member HowtoForge Supporter

    Didn't think of that...

    Dovecot:
    Code:
    vi /etc/dovecot/dovecot.conf
    #replace the line starting with ssl_dh with
    ssl_dh = </etc/postfix/ffdhe4096.pem
    Restart Dovecot
    Code:
    service dovecot restart
    
    For Apache, there was a lot more wrong (at least in my config)
    Added to /etc/apache2/apache2.conf
    Code:
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLOpenSSLConfCmd DHParameters /etc/postfix/ffdhe4096.pem
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression      off
    SSLSessionTickets   off
    
    Restart Apache
    Code:
    service apache2 restart
    
    PureFTPd:
    Code:
    cp /etc/postfix/ffdhe4096.pem /etc/ssl/private/pure-ftpd-dhparams.pem
    service pure-ftpd-mysql restart
    
     
    Steini86 and Taleman like this.
  4. Th0m

    Th0m Active Member HowtoForge Supporter

    I put the .pem in a central directory so all services use the same file. I have 100% on both tests now.
     
    Steini86 likes this.
  5. SpeedyB

    SpeedyB Member HowtoForge Supporter

    How did you go around the Pure-FTP with the central location? I couldn't find where to configure that
     
  6. Th0m

    Th0m Active Member HowtoForge Supporter

    I am not sure if I configured it for Pure-FTPD...
     
  7. Steini86

    Steini86 Active Member

    Be aware, that in the standard configuration, ISPconfig overwrites (some) SSL settings in the vhost files. For myself I created a custom master vhost without the SSL configuration and do all config in /etc/apache2/mods-enabled/ssl.conf
    I have the original file in /etc/ssl/private/ and all programs refer to that.
     
    Th0m likes this.

Share This Page