nmap says there's vulnerability with Diffie-Hellman settings

Sat, 07 Jan 2023 00:38:53 -0800 

Hello everyone
when I run `nmap --script vuln example.com` against a server I manage, I get the following vulnerability on my server on both ports 465 and 587. The only solutions I found are for legacy systems. 


587/tcp   open   submission
| ssl-dh-params:
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive

|       eavesdropping, and are vulnerable to active man-in-the-middle 
attacks

|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 2048
|             Generator Length: 8
|             Public Key Length: 2048
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt



My settings (slightly redacted):

```
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
maillog_file = /dev/stdout
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = example.com
mynetworks_style = subnet
myorigin = localmail.example.com
non_smtpd_milters = inet:email-opendkim:12301
postscreen_upstream_proxy_protocol = haproxy

proxy_read_maps = $local_recipient_maps $mydestination 
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps 
$virtual_mailbox_domains $relay_recipient_maps $relay_domains 
$canonical_maps $sender_canonical_maps $recipient_canonical_maps 
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps

readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
smtpd_helo_restrictions = reject_invalid_helo_hostname,
smtpd_milters = inet:email-opendkim:12301

smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/sender_access, permit_sasl_authenticated, 
permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, 
reject_unknown_recipient_domain, reject_unauth_destination, 
reject_rbl_client sbl.spamhaus.org, reject_rbl_client 
b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, 
reject_rbl_client truncate.gbudb.net, reject_rbl_client bl.spamcop.net, 
reject_rbl_client cbl.abuseat.org, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination

smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot

smtpd_sender_login_maps = 
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf

smtpd_tls_auth_only = yes
smtpd_tls_cert_file = fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_key_file = privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
```

Let me know what you think.

All the best,
Sam






















					Reply via email to