I've added all but the forward secrecy part on my email server running
postfix 2.10.1 (the latest in the CentOS7 repository), and
test.drownattack.com still reports vulnerability on port 25. Any help
will be greatly appreciated.
postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = scan:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
mail_owner = postfix
mailbox_size_limit = 819200000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 81920000
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = cloudmail.example.com
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org bl.spamcop.net
b.barracudacentral.org
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd,
kDHr,
SEED, IDEA, RC2
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,reject_non_fqdn_hostname,reject_invalid_hostname,permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_policy_service unix:postgrey/socket, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unauth_destination, reject_rbl_client
list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client
cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /certificate/storage/cloudmail.shopsite.com/fullchain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /certificate/storage/cloudmail.shopsite.com/cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
smtpd_tls_key_file = /certificate/storage/cloudmail.shopsite.com/private.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = no
tls_random_source = dev:/dev/urandom
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /var/spool/virtual
virtual_mailbox_domains =
mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 819200000
virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 8
virtual_transport = virtual
virtual_uid_maps = static:8
postconf: warning: /etc/postfix/main.cf: unused parameter:
virtual_mailbox_limit_maps=mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
postconf: warning: /etc/postfix/main.cf: unused parameter:
virtual_maildir_limit_message=Sorry, Your maildir has overdrawn your
diskspace quota, please free some space of your mailbox and try again.
postconf: warning: /etc/postfix/main.cf: unused parameter:
virtual_mailbox_limit_override=yes
postconf: warning: /etc/postfix/main.cf: unused parameter:
virtual_overquota_bounce=yes
postconf: warning: /etc/postfix/main.cf: unused parameter:
virtual_create_maildirsize=yes
postconf: warning: /etc/postfix/main.cf: unused parameter:
smptd_tls_session_cache_database=btree:/var/spool/postfix/smtpd_tls_cache
postconf: warning: /etc/postfix/main.cf: unused parameter:
virtual_mailbox_extended=yes
postconf: warning: /etc/postfix/main.cf: unused parameter:
smtpd_tls_note_starttls_offer=yes
postconf -Mf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
scan unix - - n - 10 smtp
-o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes
-o smtp_generic_maps=
[127.0.0.1]:10025 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions= -o smtpd_client_restrictions=
-o smtpd_sender_restrictions= -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8 -o
smtpd_authorized_xforward_hosts=127.0.0.0/8
On 3/1/2016 10:16 AM, Viktor Dukhovni wrote:
Some of the servers that expose TLS to cross-protocol DROWN attacks
via SSLv2 are MTAs running Postfix. If you're using an older
Postfix release (released prior to July 20 2015), or you've explicitly
configured TLS settings that may have enabled SSLv2, please update
your configuration as suggested below:
# Minimal recommended settings. Whenever the built-in defaults are
# sufficient, let the built-in defaults stand by deleting any explicit
# overrides. The default mandatory TLS protocols have never included
# SSLv2, check to make sure you have not inadvertently enabled it.
#
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtp_tls_ciphers = medium
# Other best practices
# Strongly recommended:
# http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
# (Note, before applying the setting below, you'll need to create
# the dh2048.pem parameter file as described in FORWARD_SECRECY_README)
#
smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
smtpd_tls_eecdh_grade = strong
# Suggested, not strictly needed:
#
smtpd_tls_exclude_ciphers =
EXPORT, LOW, MD5, SEED, IDEA, RC2
smtp_tls_exclude_ciphers =
EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
