Re: error ssl stacked error routines

Thu, 27 Apr 2017 08:30:12 -0700 

On Thu, Apr 27, 2017 at 06:55:37AM +0200, Poliman - Serwis wrote:

> Is between dovecot and postfix some communication?

None to the IMAP service, and especially nothing that involves
smtpd(8) TLS settings.

> tls_ssl_options = no_ticket, no_compression

You've been reading and following some idiot's guide to "securing"
TLS with Postfix, leave this and most of the below settings at
their default values.

> tls_preempt_cipherlist = yes

That's fine.

> smtpd_sasl_security_options=noanonymous,noplaintext

Better, just disable SASL without TLS.


> smtpd_sasl_tls_security_options=noanonymous,noplaintext

Unless you're doing GSSAPI, most of the other options require a
store of the actual unhashed passwords on the server, and far worse
than "plaintext".  I would not use "noplaintext".

> smtpd_tls_mandatory_ciphers = high

Bad idea, set "medium" instead, default in recent versions of Postfix.

> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

This is fine.

> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

Leave this parameter at its default value.  Instead, if that is
not *already* the default, set:

    smtpd_tls_protocols = !SSLv2, !SSLv3

> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

The above is inane.  Leave this parameter at its default value.
Instead, make sure that you have (likely already the default):

    smtp_tls_ciphers = medium

Only if you desperately want a smaller TLS ClientHello, try:

    smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

Those are not needed for interoperability and just add bloat.  You
may also add RC4, after monitoring your server for a while (a month
or more) and checking your logs to make sure that no legitimate
peers require RC4 (look for TLS connections using RC4 in your logs).

> Before setup those lines in main.cf, dovecot didn't cry any error in log.

Dovecot errors are the result of configuration changes you've made in
Dovecot.

-- 
        Viktor.

Reply via email to