Salut Marc @dnutan
Sorry for this long post.
Yesterday I was reading about TLS and mailservers when I stumbled on this discussion: https://talk.plesk.com/threads/tls-errors-in-maillog.351487/
Mar 3, 2019 #3
You could fiddle around with the smtpd_tls_protocols and smtpd_tls_mandatory_protocols in the
/etc/postfix/main.cf to at least enable SSLv3 (that would most likely suffice to establish a connection with these two mailservers)
As for SSLv2, I strongly advice against using that and it will most likely not work anyway, due to beeing no longer available in your openssl library.
When it comes to security with SSLv3 - in regards of SMTP it’s quite negligible, as the real SSLv3 Killer “Heartbleed” is not really applicable here. Nontheless, it’s for sure not the most secure protocol nowadays and I would at least use a dedicated certificate (read: a certificate with a secure key not used anywhere else) for that.
For security, imagine using TLS-1.x ???
Then I started to look at
FOR THE SMTP CERTIFICATE:
# TLS for smtp client
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_cert_file = /etc/postfix/postfix.crt
smtp_tls_key_file = /etc/postfix/postfix.key
FOR THE CLIENT:
# TLS for smtp client
# cipher selection 2020-05-10 Only TLS1.2 (RSA and ECC certificate)
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, aNULL, eNULL, RC4, MD5, SEED, IDEA, SHA
Maybe just remove
!TLSv1.1 with a custom template ???
smtp_tls_security_level = may, I looked at http://www.postfix.org/TLS_README.html. So it should be possible to use a certificate.
Then for security, I looked at port 587
# telnet localhost 587
Connected to localhost.
Escape character is '^]'.
220 server.my-domain.org ESMTP Postfix
221 2.0.0 Bye
Connection closed by foreign host.
Then I found: https://www.madboa.com/geek/openssl/#cs-smtp
So I tried port 993:
# openssl s_client -connect remote.host:993
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
depth=1 C = US, O = Let's Encrypt, CN = R3
depth=0 CN = my-domain.org
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3658 bytes and written 415 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d9 18 82 f0 61 51 83 c9-49 f8 2c 2f 7d 23 7d 21 ....aQ..I.,/}#}!
0090 - e8 de fc 3b 67 0a 03 79-a6 94 d4 c8 39 02 70 ae ...;g..y....9.p.
Start Time: 1613917577
Timeout : 300 (sec)
Verify return code: 0 (ok)
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
This is using a Let’s Encrypt certificate.
Then I had a walk in the snow to change my mind, thinking “mail is a show stopper”!. When I came back, I re-read your post and it hit me like a flash “I should try another policy” AND IT WORKED FIRST SHOT !
- Since TLS-1.x are not so secure, it should be possible to use it with encryption and a certificate. This will be quite a task to implement…
- Since my document is RC-001, I should release it with using Policy 2018-10-01 and wait for feedback while I try encryption and a certificate.
Again, I thank you very much for your support, very appreciated,