Thank you for explaining. I'm sorry I'm not sure whether I understand
that there's a solution or it's OK. Is there a setting that I can update
in postfix to fix this? I already limited smtpd ciphers to high, with
smtpd_tls_ciphers.
Is there something I can do to fix this "vulnerability"?
PS: Matus asked about the "outdated" solution, here it's:
https://www.clearos.com/clearfoundation/social/community/did-an-external-nmap-script-vuln-scan-and-found-a-few-issues-relating-to-ssl-fixes
; none of these options seem to apply in postfix somehow, and then from
a previous discussion I learned that many TLS_* options were deprecated.
Besides, I saw in postfix documentation that DH options should be loaded
automatically from OpenSSL and not be specified (IIRC).
Best regards,
Sam
On 07/01/2023 6:38 PM, Wietse Venema wrote:
Wietse Venema:
Sam:
Hello everyone
when I run `nmap --script vuln example.com` against a server I manage, I
get the following vulnerability on my server on both ports 465 and 587.
The only solutions I found are for legacy systems.
587/tcp open submission
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection against passive
Yes, anonymous ciphers do not authenticate. That is a feature, not
a bug. PKI alone cannot authenticate an SMTP server, that requires
DANE with DNSSEC.
Correction: mail to port 465 and 587 currently uses A/AAAA lookups,
and in those cases an SMTP server actually can be authenticated
with PKI alone. So turning off anonymous ciphers for ports 465 and
587 can make sense.
That would change when Postfix looks up submission SMTP servers
using SRV support. Where MX lookup returns a hostname, SRV lookup
returns a host and port. Host lookups with MX or SRV are insecure
without DNSSEC validation.
Wietse
