Wietse Venema:
> Sam:
> > Hello everyone
> >
> > when I run `nmap --script vuln example.com` against a server I manage, I
> > get the following vulnerability on my server on both ports 465 and 587.
> > The only solutions I found are for legacy systems.
> >
> >
> > 587/tcp open submission
> > | ssl-dh-params:
> > | VULNERABLE:
> > | Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
> > | State: VULNERABLE
> > | Transport Layer Security (TLS) services that use anonymous
> > | Diffie-Hellman key exchange only provide protection against passive
>
> Yes, anonymous ciphers do not authenticate. That is a feature, not
> a bug. PKI alone cannot authenticate an SMTP server, that requires
> DANE with DNSSEC.
Correction: mail to port 465 and 587 currently uses A/AAAA lookups,
and in those cases an SMTP server actually can be authenticated
with PKI alone. So turning off anonymous ciphers for ports 465 and
587 can make sense.
That would change when Postfix looks up submission SMTP servers
using SRV support. Where MX lookup returns a hostname, SRV lookup
returns a host and port. Host lookups with MX or SRV are insecure
without DNSSEC validation.
Wietse
