Hi Eero. I'm using the default settings in postfix. In fact, you can
look in my settings you'll find `smtpd_tls_eecdh_grade = ultra`. That's
the only DH related thing AFAIK.
On 07/01/2023 1:53 PM, Eero Volotinen wrote:
I think you are using insecure dh group 1?
Eero
la 7. tammik. 2023 klo 10.39 Sam (lis...@afach.de) kirjoitti:
Hello everyone
when I run `nmap --script vuln example.com <http://example.com>`
against a server I manage, I
get the following vulnerability on my server on both ports 465 and
587.
The only solutions I found are for legacy systems.
587/tcp open submission
| ssl-dh-params:
| VULNERABLE:
| Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
| State: VULNERABLE
| Transport Layer Security (TLS) services that use anonymous
| Diffie-Hellman key exchange only provide protection
against passive
| eavesdropping, and are vulnerable to active man-in-the-middle
attacks
| which could completely compromise the confidentiality and
integrity
| of any data exchanged over the resulting session.
| Check results:
| ANONYMOUS DH GROUP 1
| Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: Unknown/Custom-generated
| Modulus Length: 2048
| Generator Length: 8
| Public Key Length: 2048
| References:
|_ https://www.ietf.org/rfc/rfc2246.txt
My settings (slightly redacted):
```
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
maillog_file = /dev/stdout
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = example.com <http://example.com>
mynetworks_style = subnet
myorigin = localmail.example.com <http://localmail.example.com>
non_smtpd_milters = inet:email-opendkim:12301
postscreen_upstream_proxy_protocol = haproxy
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
<http://dnsbl.sorbs.net>
smtpd_helo_restrictions = reject_invalid_helo_hostname,
smtpd_milters = inet:email-opendkim:12301
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org <http://sbl.spamhaus.org>,
reject_rbl_client
b.barracudacentral.org <http://b.barracudacentral.org>,
reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
reject_rbl_client truncate.gbudb.net <http://truncate.gbudb.net>,
reject_rbl_client bl.spamcop.net <http://bl.spamcop.net>,
reject_rbl_client cbl.abuseat.org <http://cbl.abuseat.org>, permit
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
<http://mysql_sender_login_maps.cf>
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_key_file = privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
```
Let me know what you think.
All the best,
Sam
