Hello postfix-users,
While checking the SSL configuration of a Postfix server, I noticed that
so-called "Client-initiated secure renegotiation" is available at
Postfix by default.
You can verify it with following openssl command and press "R" once the
connection is successfully established:
openssl s_client -connect <hostname/IP>:25 -starttls smtp
250 DSN
R
RENEGOTIATING
depth=2 C = US, O = XXX, OU = www.xxx.com, CN = XXX Root CA
verify return:1
depth=1 C = US, O = XXX, OU = www.xxx.com, CN = XXX Server CA
verify return:1
depth=0 C = XX, ST = XXX, L = XXX, O = XX, CN = XXX
verify return:1
The problem with SSL renegotiation in association with DoS attacks is
already known. You can find a lot of information on the Internet, but
mostly related to HTTPS.
https://blog.qualys.com/ssllabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
There is also a modified version of a well known exploit that performs
the same attack against SMTP (STARTTLS) protocol. It establishes several
connections and initiates the renegotiation several times.
I ran this exploit against a postfix server. It was possible to increase
the load significantly with only 30 threads:
- Attackers client with 1 core CPU and 0,60 load average during the
attack. (30 SMTP connections)
- Target server with 4 core CPU and 17.0 load average during the attack.
(30 SMPT connections)
Are there already plans to make "Client-initiated secure renegotiation"
support in Postfix disengageable? I would very much appreciate it if I
could switch off this function.
Best regards,
Viktor
