On 5/22/2011 4:27 AM, Mark Alan wrote:
Hello list,
While using ubuntu 10.10, postfix 2.8.1, dovecot 2.0.12, openssl
0.9.8o, and trying to connect to the mail server via postfix
'submission' the best cipher that I am able to get is
DHE-RSA-AES128-SHA (128/128 bits)
As it is only the 11th entry in the list showed by
openssl ciphers -v 'ALL:@STRENGTH'
and giving that openssl in both mail server and client
machines show that better ciphers are supported, is there a way to
enforce a higher ciphers?
logs follow:
random thoughts...
Is postfix also the client? What are the settings on that
machine?
Are you certain you're connecting to the submission port?
adding "-o syslog_name=postfix-submission" or similar to the
master.cf submission entry is helpful.
Remove your *_exlude_ciphers entries and let openssl figure it
out itself. It usually does a better job of finding the best
common cipher than you can by hand.
-- Noel Jones
The (anonymized) session log goes like this:
May 22 09:25:27 mx postfix/smtpd[7984]: connect from
unknown[192.168.1.60]
May 22 09:25:27 mx postfix/smtpd[7984]: setting up TLS connection from
unknown[192.168.1.60]
May 22 09:25:28 mx postfix/smtpd[7984]: Anonymous TLS connection
established from unknown[192.168.1.60]: TLSv1 with cipher
DHE-RSA-AES128-SHA (128/128 bits)
May 22 09:25:35 mx postfix/smtpd[7984]: 299CD8192:
client=unknown[192.168.1.60], sasl_method=LOGIN,
sasl_username=test...@example.org
May 22 09:25:36 mx postfix/cleanup[8004]: 299CD8192: message-id=<>
May 22 09:25:36 mx postfix/qmgr[7946]: 299CD8192:
from=<test...@example.org>, size=506, nrcpt=1 (queue active)
May 22 09:25:36 mx postfix/smtpd[7984]: disconnect from
unknown[192.168.1.60]
$ grep -A 4 'submission' /etc/postfix/master.cf
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
Both client MUA and server MTA machines show:
$ openssl ciphers -v 'ALL:@STRENGTH' | head -n 11
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
$ sudo postconf -n | grep -v '^smtp_' | grep 'tls\|sasl'
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/example.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/example.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL
smtpd_tls_protocols = !SSLv2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Thank you,
Mark
