[SOLVED] Matrix-Synapse and TLS-1.0

michelandre · February 19, 2021, 9:12pm

Hi all,

I almost finished the documentation on Matrix-Synapse. I only have one small problem with electronic messaging.

I have a bug with a new user’s registration and email address.
"An error was encountered when sending the email"

After Googling I found this:

babolivier commented on 5 May 2020

He mention to do some commands to patch that bug, but still not able to connect to mail server using port 587 with STARTTL.

It looks like Matrix-Synapse is using TLS-1.0.

QUESTION:
Is it possible to force NethServer to use TLS-1.0?

Any suggestions would be very much appreciated.

Michel-André

dnutan · February 19, 2021, 9:21pm

You can choose an older TLS Policy, but it was disabled for security reasons.

Policy 2020-05-10

This policy disables the TLS protocol versions 1.0 and 1.1. It applies to the following services:

Apache (httpd, httpd-admin)

Ejabberd

Cockpit

Slapd (openldap-servers)

Postfix

Dovecot

Reference: Securing Applications with TLS in RHEL - Red Hat Customer Portal

michelandre · February 19, 2021, 9:55pm

Hi Marc @dnutan,

Thank you for your fast response.

I even tried: https://kmj.at/how-to-setup-your-matrix-synapse-messaging-homeserver-may-2019-english/

email:
enable_notifs: false
smtp_host: "localhost"
smtp_port: 25
require_transport_security: False
notif_from: "Ourdomain MATRIX <noreply@my-domain.org>"
app_name: Matrix
template_dir:  /usr/local/etc/matrix-synapse/res/templates
riot_base_url: "https://element.my-domain.org"

I can reach https://element.my-domain.org with now problem, enter new user etc.

maillog:

Feb 19 16:50:32 tchana rspamd[2263]: <bec8df>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:58096
Feb 19 16:50:32 tchana rspamd[2263]: <bec8df>; proxy; proxy_milter_finish_handler: finished milter connection
Feb 19 16:50:32 tchana postfix/smtpd[8997]: connect from localhost[127.0.0.1]
Feb 19 16:50:32 tchana rspamd[2263]: <2d0d03>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Feb 19 16:50:32 tchana postfix/smtpd[8997]: SSL_accept error from localhost[127.0.0.1]: -1
Feb 19 16:50:32 tchana postfix/smtpd[8997]: warning: TLS library problem: 8997:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Feb 19 16:50:32 tchana postfix/smtpd[8997]: lost connection after STARTTLS from localhost[127.0.0.1]
Feb 19 16:50:32 tchana postfix/smtpd[8997]: disconnect from localhost[127.0.0.1]
Feb 19 16:50:32 tchana rspamd[2263]: <2d0d03>; milter; rspamd_milter_process_command: got connection from 127.0.0.1:58098
Feb 19 16:50:32 tchana rspamd[2263]: <2d0d03>; proxy; proxy_milter_finish_handler: finished milter connection

???
GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

Michel-André

P.S. Just notice:
template_dir: /usr/local/etc/matrix-synapse/res/templates
Which is wrong.

I will correct and check again

michelandre · February 19, 2021, 10:05pm

Hi Marc @dnutan,

Corrected:

EDITION 2021-02-20_13h12 HNE:
template_dir: “lib/python3.6/site-packages/synapse/res/templates”

client_base_url: "https://element.mydomain.org"

Still problem:

With TOR I see that Matrix is trying to send the email

maillog:

Feb 19 17:03:50 tchana postfix/smtpd[9960]: warning: TLS library problem: 9960:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

Michel-André

P.S. Might be related to Let’s Encrypt certificate as my server is LOCAL and my main server redirects to LOCAL. I required a cert with the main server then all redirected link uses that cert. Then I copied this cert to LOCAL and made it the defautl.

P.P.S. Time to take a walk in the snow before the curfew.

michelandre · February 21, 2021, 6:27am

Salut Marc @dnutan,

You are absolutely right

I change the policy to 2018-10-01 and the email address started to work correctly.

I wonder if this can be apply to Postfix only?

Thank you so much,

Michel-André

dnutan · February 21, 2021, 10:54am

Not through the UI but maybe with a custom template to override the assigned TLS policy for postfix. Do not know if additional steps are to be taken for smarthost.
Related Postfix TLS Policy templates: 2018-10-01 vs 2020-05-10

michelandre · February 21, 2021, 3:56pm

Salut Marc @dnutan

Sorry for this long post.

Yesterday I was reading about TLS and mailservers when I stumbled on this discussion: Issue - TLS Errors in maillog | Plesk Forum

Mar 3, 2019 #3
You could fiddle around with the smtpd_tls_protocols and smtpd_tls_mandatory_protocols in the /etc/postfix/main.cf to at least enable SSLv3 (that would most likely suffice to establish a connection with these two mailservers)
As for SSLv2, I strongly advice against using that and it will most likely not work anyway, due to beeing no longer available in your openssl library.
When it comes to security with SSLv3 - in regards of SMTP it’s quite negligible, as the real SSLv3 Killer “Heartbleed” is not really applicable here. Nontheless, it’s for sure not the most secure protocol nowadays and I would at least use a dedicated certificate (read: a certificate with a secure key not used anywhere else) for that.

For security, imagine using TLS-1.x ???

Then I started to look at /etc/postfix/main.cf.

FOR THE SMTP CERTIFICATE:

#
# TLS for smtp client
#

# SMTP
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_cert_file = /etc/postfix/postfix.crt
smtp_tls_key_file = /etc/postfix/postfix.key

FOR THE CLIENT:

#
# TLS for smtp client
# cipher selection 2020-05-10 Only TLS1.2 (RSA and ECC certificate)
#
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers=high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, aNULL, eNULL, RC4, MD5, SEED, IDEA, SHA

Maybe just remove !TLSv1 and !TLSv1.1 with a custom template ???

For the smtp_tls_security_level = may, I looked at Postfix TLS Support. So it should be possible to use a certificate.

Then for security, I looked at port 587

# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.my-domain.org ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

Then I found: OpenSSL Command-Line HOWTO

So I tried port 993:

# openssl s_client -connect remote.host:993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = my-domain.org
verify return:1
---
Certificate chain
 0 s:/CN=my-domain.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHRzCCBi+gAwIBAgISBGbCfbeRUEasSqLf5phmtJ/uMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...
XJWGckYA03yiL4WcO+ZlNIlBfi2YjJUriPA6tWwJEZx+T+jUnuQOklqz0vfMSkM4
Ad3+0VLLpMxLmXcFWJ/3Fd9bxA5118PXByyLlfynmu3p4wIuLxr0kxKHxw==
-----END CERTIFICATE-----
subject=/CN=my-domain.org
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3658 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3845EA057ACB13E5290AFB6EE3EAC2543593395A25B42D0A8D196476658A0699
    Session-ID-ctx:
    Master-Key: 9FE6DE15B6251A2CBAA9899226110CC7AAA97993E3EDB356BABFB07E5C36D67F6B0FE9847B9864E777CE6198E4DE67D5
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d9 18 82 f0 61 51 83 c9-49 f8 2c 2f 7d 23 7d 21   ....aQ..I.,/}#}!
...
    0090 - e8 de fc 3b 67 0a 03 79-a6 94 d4 c8 39 02 70 ae   ...;g..y....9.p.

    Start Time: 1613917577
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

This is using a Let’s Encrypt certificate.

Then I had a walk in the snow to change my mind, thinking “mail is a show stopper”!. When I came back, I re-read your post and it hit me like a flash “I should try another policy” AND IT WORKED FIRST SHOT !

CONCLUSION:

Since TLS-1.x are not so secure, it should be possible to use it with encryption and a certificate. This will be quite a task to implement…
Since my document is RC-001, I should release it with using Policy 2018-10-01 and wait for feedback while I try encryption and a certificate.

Again, I thank you very much for your support, very appreciated,

Michel-André

Neustradamus · July 28, 2021, 4:29am

The Synapse bug has been solved with Twisted Matrix 21.02:

https://github.com/matrix-org/synapse/issues/6211#issuecomment-792391783