Re: Enable SSLv3 from a specific IP

Sat, 24 Sep 2022 08:18:19 -0700 

On Sat, Sep 24, 2022 at 01:22:30PM +0200, Lists Nethead wrote:

> I am tasked with what the subject says, to enable
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
> from a specific IP.

Note that while the cipher was first defined for use in SSLv3, it
continues to be applicable in TLS 1.0, 1.1 and even 1.2.  For
example, on FreeBSD 12.3 system with OpenSSL 1.1.1 I get:

    $ openssl ciphers -v -s -tls1_2 kDHE+aDSS+SHA1+AES:@SECLEVEL=0
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

While on a Fedora 36 system no such ciphers are available

    $ openssl ciphers -v -s -tls1_2 kDHE+aDSS:@SECLEVEL=0
    $

So if you OpenSSL library does not support the cipher, you're out of
luck.

However, even if does that cipher can only be negotiated on a server
that has a DSA (a.k.a. DSS) certificate.  So you'd need to configure
either only a DSA certificate, or both a DSA and an RSA certificate.

That's all that's required.  Postfix is fairly liberal in the list of
ciphers it supports, because SMTP typically uses unauthenticated
opportunistic TLS, and turning up the ciphers to 11 is mostly
counterproductive.

> I suppose that must be a lookup table but unsure about the syntax. Or,  
> is smtpd_discard_ehlo_keyword_address_maps the way to go?

It is not possible to configure fine-grained TLS settings by client
IP directly in Postfix.  You'd have to use iptables or similar to
map connections from the client in question to an alternative SMTP
port, for which in master.cf you configure appropriate settings.

You probably do not need a dedicated port, just configure both an
RSA and a DSA certificate.  Why you'd want to do this is a mystery,
an SMTP client that only supports DSS is rather a museum piece.

If the client in fact only supports SSL 3.0 (even more ancient), then
you'd need to have an OpenSSL version that has not disabled SSL 3.0:

    $ openssl ciphers -v -s -ssl3 kDHE+aDSS+AES:@SECLEVEL=0
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

and to change the default value of "smtpd_tls_protocols":

    # Postfix 3.6 or later:
    smtpd_tls_protocols = >=SSLv3

    # Older Postfix
    smtpd_tls_protocols = !SSLv2

-- 
    Viktor.

Reply via email to