mailserver test problem with "key exchange parameters"

Discussion in 'General' started by Robin.k, Aug 7, 2021.

  1. Robin.k

    Robin.k Member

    Hi,
    When I test online the ISPconfig 3 mail server with the website "en.Internet.nl", I get the message key exchange parameters

    How can I solve this problem?

    Kind Regards
    Rob
    Schermafbeelding 2021-08-07 om 07.53.08.png
     
    Last edited: Aug 16, 2021
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Which OS and which ISPConfig version are you running?
     
  4. Robin.k

    Robin.k Member

    Hi Taleman and Tom,
    I run on Debian 10 and ISPConfig 3.2.5
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
     
    [INFO] uptime:  22:37:42 up 12:36,  0 users,  load average: 0,19, 0,18, 0,12
     
    [INFO] memory:
                  total        used        free      shared  buff/cache   available
    Mem:          3,6Gi       2,0Gi       706Mi        53Mi       907Mi       1,3Gi
    Swap:          83Gi        20Mi        83Gi
     
    [INFO] systemd failed services status:
      UNIT                       LOAD   ACTIVE SUB    DESCRIPTION         
    ● certbot.service            loaded failed failed Certbot             
    ● systemd-quotacheck.service loaded failed failed File System Quota Check
    
    LOAD   = Reflects whether the unit definition was properly loaded.
    ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
    SUB    = The low-level unit activation state, values depend on unit type.
    
    2 loaded units listed. Pass --all to see loaded but inactive units, too.
    To show all installed unit files use 'systemctl list-unit-files'.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.5
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.3.29-1~deb10u1
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.3.29
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
        Apache 2 (PID 2466)
    [INFO] I found the following mail server(s):
        Postfix (PID 1092)
    [INFO] I found the following pop3 server(s):
        Dovecot (PID 695)
    [INFO] I found the following imap server(s):
        Dovecot (PID 695)
    [INFO] I found the following ftp server(s):
        PureFTP (PID 1138)
    
    ##### LISTENING PORTS #####
    (only        ()
    Local        (Address)
    [anywhere]:993        (695/dovecot)
    [anywhere]:995        (695/dovecot)
    [localhost]:10023        (780/postgrey)
    [localhost]:10024        (1237/amavisd-new)
    [localhost]:10025        (1092/master)
    [localhost]:10026        (1237/amavisd-new)
    [localhost]:3306        (677/mysqld)
    [localhost]:10027        (1092/master)
    [anywhere]:587        (1092/master)
    [localhost]:11211        (569/memcached)
    [anywhere]:110        (695/dovecot)
    [anywhere]:143        (695/dovecot)
    [anywhere]:465        (1092/master)
    [anywhere]:21        (1138/pure-ftpd)
    ***.***.***.***:53        (587/named)
    [localhost]:53        (587/named)
    [anywhere]:22        (607/sshd)
    [anywhere]:25        (1092/master)
    [localhost]:953        (587/named)
    *:*:*:*::*:3389        (678/xrdp)
    *:*:*:*::*:993        (695/dovecot)
    *:*:*:*::*:995        (695/dovecot)
    *:*:*:*::*:10023        (780/postgrey)
    *:*:*:*::*:10024        (1237/amavisd-new)
    *:*:*:*::*:10026        (1237/amavisd-new)
    *:*:*:*::*:587        (1092/master)
    [localhost]10        (695/dovecot)
    [localhost]43        (695/dovecot)
    *:*:*:*::*:8080        (2466/apache2)
    *:*:*:*::*:80        (2466/apache2)
    *:*:*:*::*:8081        (2466/apache2)
    *:*:*:*::*:465        (1092/master)
    *:*:*:*::*:21        (1138/pure-ftpd)
    *:*:*:*::*:53        (587/named)
    *:*:*:*::*:3350        (618/xrdp-sesman)
    *:*:*:*::*:22        (607/sshd)
    *:*:*:*::*:25        (1092/master)
    *:*:*:*::*:953        (587/named)
    *:*:*:*::*:443        (2466/apache2)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination       
    f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multi
    port dports 25
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination       
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination       
    
    Chain f2b-postfix-sasl (1 references)
    target     prot opt source               destination       
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with
    icmp-port-unreachable
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with i
    cmp-port-unreachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0         
    
    
    
    
    ##### LET'S ENCRYPT #####
    Certbot is installed in /usr/bin/letsencrypt
    
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The test you refer to compains about
    Code:
    Mail server (MX)    Affected TLS versions    Status
    mail.triumph-tr2.com.    TLS 1.1    phase out
    ...    TLS 1.0    phase out
    
    Debian 10 has newer versions of the necessary protocols.
    I have in my SSLProtocol setting "... -TLSv1 -TLSv1.1 ..." which disables those to your test complains about. Have you altered that setting in Apache configuration? How was this host installed?
     
  6. Robin.k

    Robin.k Member

  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should keep TLSv1 and TLSv1.1 enabled for now, because of old mailservers not supporting newer protocols. Also, the SSLProtocol does not cause your current issue. The problem is that you are using a self signed DH key.

    To fix this:
    Code:
    nano /etc/ssl/private/ffdhe4096.pem
    Put this pre-defined group in there:
    Code:
    -----BEGIN DH PARAMETERS-----
    MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
    +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
    87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
    YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
    7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
    ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
    7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
    nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
    8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
    iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
    zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
    -----END DH PARAMETERS-----
    Then, define that .pem file in the Postfix config:
    Code:
    smtpd_tls_dh1024_param_file = /etc/ssl/private/ffdhe4096.pem
    You can follow this guide on how to add custom config for your postfix setup that is not overwritten with the next ISPConfig update: https://www.howtoforge.com/communit...-for-custom-postfix-and-dovecot-config.86559/

    I have a 100% score on internet.nl and belong to the internet.nl hall of fame of hosters, so I am sure this works ;)
     
  9. Robin.k

    Robin.k Member

    Hi Tom,

    Thanks for the information.
    I tried what you write above, but stil get this warming on internet.nl. I put the pre-defined group in /etc/ssl/private/ffdhe4096.pem
    And after this I define smtpd_tls_dh1024_param_file = /etc/ssl/private/ffdhe4096.pem in /etc/postfix/main.cf
    but still get this warning Failed: Key exchange parameters on internet.nl
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you restarted Postfix?
     
  11. Robin.k

    Robin.k Member

    Hi Tom,
    I restarted Postfix with sudo /etc/init.d/postfix restart.
    But still the I get the warning in internet.nl.
    View attachment 6826
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    On Debian 10, you normally use systemd to restart services. using init scripts may cause the daemon to not restart under some circumstances..

    systemctl restart postfix
     
  13. Robin.k

    Robin.k Member

    Hi Till, I tried "systemctl restart postfix"
    Still get this warning key exchange on internet.nl
     
    Last edited: Aug 16, 2021
  14. Robin.k

    Robin.k Member

    Hi, still not A+ for mail TSL.
    There are to solve 2 errors, as show below.
    How can I solve
    A) Cipher order
    B) Key exchange parameter
     
  15. Robin.k

    Robin.k Member

    Hi, still not A+ for mail TSL.
    There is only one error to solve !
    How can I solve
    A) Cipher order

    How to solve this Cipher order?
     
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think the setting would be
    Code:
    tls_preempt_cipherlist = yes
     
  17. Robin.k

    Robin.k Member

    Hi,
    Yes.... now I have a 100% score on internet.nl
    Thanks for pointing me in the right direction.
     
    Th0m likes this.
  18. Robin.k

    Robin.k Member

    Hi,
    I'am now testing the website score, this is 97% but I also get this error.
    What should I change in /etc/apache2/mods-available/ssl.conf to get rid off this error.

    Key exchange parameters
    Verdict:
    Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.

    Technical details:
    Web server IP address Affected parameters Status
    DH-4096 insufficient
    DH-4096 insufficient

    Thanks
     
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have added these lines to that file:
    Code:
    SSLOpenSSLConfCmd ECDHParameters Automatic
    SSLOpenSSLConfCmd Curves prime256v1:secp384r1
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/ffdhe4096.pem"
     
  20. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Are these tweaks appropriate for the general ISPConfig install base? Or they break some clients, and should only be made by select folks who want top ssl ratings at the expense of some client breakage?
     

Share This Page