Make ISPConfig secure

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Jul 21, 2021.

  1. Hello,
    I recently changed employers and my new employer is very fond of ISPConfig, which I haven't used so far. At my last employer I taught myself to use Greenbone, formerly OpenVAS to scan new servers before taking them into active service. By default ISPConfig is rather open when it comes to security and Greenbone confirms this. After googling I found a recent and for me rather helpful tutorial for security both Postfix and Docecot, which I can't link yet and added the following lines to the configuration of postfix and dovecot:

    smtpd_tls_eecdh_grade = strong
    smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_ciphers = high
    tls_preempt_cipherlist = yes
    smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
    smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

    Dovecot: /etc/dovecot/conf.d/10-ssl.conf
    ssl_prefer_server_ciphers = yes
    ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
    ssl_min_protocol = TLSv1.2

    Of course I have restarted both services after changing the files. In my understanding this should disable TLS 1.0 and 1.1 in both Postfix and Dovecot. Unfortunately I cant post the screenshot so I try to replicate the result of Greenbone in text form.

    POP3 Uncrypted Cleartext Login 110
    IMAP Uncrypted Cleartext Login 143
    SMTP Uncrypted Cleartext Login 25
    SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection 465
    SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection 587
    SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection 25

    Why does Greenbone show TLS 1.0 and 1.1 as available and how to I get rid of the unencrypted cleartext logins?
    Dovecot has a mininum protocol of 1.2 and the configuration I applied explicitly forbids earlier versions. Is this an error in Dovecot or in Greenbone?
    How can I get a working instance of ISPConfig which gets a rating of not more than "Low".
    Yours sincerely
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The Dovecot configuration file is /etc/dovecot/dovecot.conf, the file you edited /etc/dovecot/conf.d/10-ssl.conf is not used at all on your server, that's why changes in this file did not work.
    Stefan Schumacher likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    How was ISPConfig installed? I have found ISPConfig makes pretty secure setup.
    What kinds of things does that greenbone complain about?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    According to the settings in the first post, the tool complained that we are using a medium SSL cipher set and TLS modes that are compatible with older clients. The tool seems to accept only the latest ciphers as acceptable, which would cause problems on most hosting systems if you don't control the clients as well to enforce that they use only the latest software. The other thing is that SSL on pop3/imap/smtp is offered but not enforced. So ISPConfig is secure, but not a paranoid setup as our support forum here would rapidly fill up with complaints that ISPConfig is not working if we would do so. We switch off older modes on a regular basis, but we have to keep the user base in mind, which means that we can not allow only the latest SSL ciphers or the latest TLS mode.

Share This Page