Fix RFC 7919 for Postfix

Discussion in 'Tips/Tricks/Mods' started by SpeedyB, Jun 23, 2020.

  1. SpeedyB

    SpeedyB Member HowtoForge Supporter

    Hello,

    I was searching for a while how to solve an issue I had with the Key Exchange Paramaters failing in the test.
    [​IMG]
    All postfix guides point you to self generate the dh challenge to 2048 which is not deemed safe anymore.
    The line used is this: openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    when you try to up this to 4096 it will not make any change since according to RFC 7919 DH is no longer safe.

    After a lot of trials and errors I have found a solution which is working for me.. and is is so simple... (if you download the correct file)

    I downloaded this file: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem

    Modified the main.cf to reflect this:
    smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe4096.pem

    Code:
    cd /etc/postfix
    wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
    chmod 644 ffdhe4096.pem
    postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/ffdhe4096.pem"
    service postfix restart
    I really would have liked to get this working with the elliptic curves which are good instead of sufficient but after a lot of trials and errors this was the best I could do at this moment.

    For other services:
    Dovecot:
    Code:
    vi /etc/dovecot/dovecot.conf
    #replace the line starting with ssl_dh with
    ssl_dh = </etc/postfix/ffdhe4096.pem
    Restart Dovecot
    Code:
    service dovecot restart
    
    For Apache, there was a lot more wrong (at least in my config)
    Added to /etc/apache2/apache2.conf
    Code:
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLOpenSSLConfCmd DHParameters /etc/postfix/ffdhe4096.pem
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression      off
    SSLSessionTickets   off
    
    Restart Apache
    Code:
    service apache2 restart
    
    PureFTPd:
    Code:
    cp /etc/postfix/ffdhe4096.pem /etc/ssl/private/pure-ftpd-dhparams.pem
    service pure-ftpd-mysql restart
    
     
    Last edited: Jun 24, 2020
    Steini86, Jesse Norell and Th0m like this.
  2. Steini86

    Steini86 Active Member

    Good point.
    Don't forget to use the file also for apache/dovecot and/or other services you are using!
     
  3. SpeedyB

    SpeedyB Member HowtoForge Supporter

    Didn't think of that...

    Dovecot:
    Code:
    vi /etc/dovecot/dovecot.conf
    #replace the line starting with ssl_dh with
    ssl_dh = </etc/postfix/ffdhe4096.pem
    Restart Dovecot
    Code:
    service dovecot restart
    
    For Apache, there was a lot more wrong (at least in my config)
    Added to /etc/apache2/apache2.conf
    Code:
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLOpenSSLConfCmd DHParameters /etc/postfix/ffdhe4096.pem
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression      off
    SSLSessionTickets   off
    
    Restart Apache
    Code:
    service apache2 restart
    
    PureFTPd:
    Code:
    cp /etc/postfix/ffdhe4096.pem /etc/ssl/private/pure-ftpd-dhparams.pem
    service pure-ftpd-mysql restart
    
     
    Steini86 and Taleman like this.
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I put the .pem in a central directory so all services use the same file. I have 100% on both tests now.
     
    ahrasis and Steini86 like this.
  5. SpeedyB

    SpeedyB Member HowtoForge Supporter

    How did you go around the Pure-FTP with the central location? I couldn't find where to configure that
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I am not sure if I configured it for Pure-FTPD...
     
  7. Steini86

    Steini86 Active Member

    Be aware, that in the standard configuration, ISPconfig overwrites (some) SSL settings in the vhost files. For myself I created a custom master vhost without the SSL configuration and do all config in /etc/apache2/mods-enabled/ssl.conf
    I have the original file in /etc/ssl/private/ and all programs refer to that.
     
    ahrasis and Th0m like this.
  8. GieltjE

    GieltjE New Member

    Could you post your other tls related configuration parameters for postfix? I tried the ffdhe4096 pem file mentioned but still get the same "Key exchange parameters" failure.
     
  9. SpeedyB

    SpeedyB Member HowtoForge Supporter

    Sorry for the late reply. I didn't receive a notification :(

    Code:
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    #smtpd_tls_cert_file = /etc/postfix/smtpd.pem
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/ca.crt
    smtp_tls_security_level = may
    smtp_tls_mandatory_protocols = !TLSv1,!TLSv1.1,!SSLv2,!TLSv3
    smtpd_tls_mandatory_protocols = !TLSv1,TLSv1.1,!SSLv2, !SSLv3
    smtpd_tls_protocols = !TLSv1,!TLSv1.1,!SSLv2,!SSLv3
    smtp_tls_protocols = !TLSv1,!TLSv1.1,!SSLv2,!SSLv3
    smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe4096.pem
    smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
    smtpd_tls_eecdh_grade = auto
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    tls_preempt_cipherlist      = yes
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_ciphers           = medium
    smtp_tls_mandatory_ciphers  = $smtpd_tls_mandatory_ciphers
    smtp_tls_ciphers            = $smtpd_tls_ciphers
    lmtp_tls_mandatory_ciphers  = $smtpd_tls_mandatory_ciphers
    lmtp_tls_ciphers            = $smtpd_tls_ciphers
    tls_ssl_options = NO_RENEGOTIATION
    smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
    smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
     
  10. nhybgtvfr

    nhybgtvfr Active Member

    @SpeedyB you might want to recheck your config file. shouldn't that be:
    Code:
    smtp_tls_mandatory_protocols = !TLSv1,!TLSv1.1,!SSLv2,!SSLv3
    
     
  11. SpeedyB

    SpeedyB Member HowtoForge Supporter

    I think this must be wrong during the copy paste and autocorrect... the config was configured with !SSLv3 on both lines. This was a copy from a offline copy of a file.. So I might have already fixed it before..
     

Share This Page