Hi Justina,
Kali tools is of course extremly unprecise. Excuse me, I had a long stressful
day and wanted to get this out before the end of the Day. Kali is a rolling
release and I keep it up to date by upgrading every few days. I also update the
feeds. What I actually use for security scans is the former OpenVAS, which now
has been relegated to being a part of the Community Edition of the Greenbone
suite. You have seen the values I have in Dovecot. What follows now are my
settings in the postfix main.cf. As you can clearly see it, it should prevent
connections from TLS below 1.2. Dovecot is of course not very fresh because
it's Debian 10 and Debian 11 is just around the corner (a few days). These are
the settings of my postfix main.cf. I am very tempted to grab an Image of
Debian 11 and install ISPConfig and my Dovecot and Postfix settings there. I am
of course open to any other suggestions. A the moment I consider to install a
new Bullseye RC2 and then put my configuration on it. I am of course open for
any other suggestions.
Yours sincerely
Stefan
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP,
3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
________________________________
Von: justina colmena ~biz <just...@colmena.biz>
Gesendet: Mittwoch, 14. Juli 2021 18:50
An: dovecot@dovecot.org <dovecot@dovecot.org>; Stefan Schumacher
<s.schumac...@consulting1x1.com>
Betreff: Re: TLS Security
Interesting.
Assuming your "Kali" tools are in fact up to date to test with newer protocols
TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS
library or whatever it uses to support the newer TLS protocols?
Definitely an outdated cipher issue, on Postfix as well as Dovecot....
On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher
<s.schumac...@consulting1x1.com> wrote:
Hi,
I wish to build a new secure email server. It seems I am on the right way – at
least I get no more error messages for Postfix – but Dovecot is still making
trouble.
I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the
rough configuring and nano and whats left of my brain to do the finer details.
Lets start with what I added to conf.d/10-ssl.conf
ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem
ssl_key = </etc/letsencrypt/live/servername/privkey.pem
ssl_cipher_list =
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2
As you can see, I clearly do not want to use TLS before v1.2. I think this is
not unreasonable in the year 2021.
Now, after the changes I ran Kali (I use it to verify the results of my
experiments)
and - this is a mailing list, so no screenshots:
It says:
SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports
143, 110, 993 and 995.
I thought I had done everything one could to disable old TLS-Versions. What am
I doing wrong?
Yours sincerely
Stefan Schumacher
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
