Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Thank you very much! As Bernd Wurst commented I also needed to have the entire PEM file + the contents of the dhparams file I had generated in one file for it to work as TLS_DHCERTFILE, otherwise it won't work with the error message error:0906D06C:PEM routines:PEM_read_bio:no start line_. I would like to add however that in addition so setting this option in esmpd-ssl you also need to set the same option in esmtpd! Otherwise you will have the DHE ciphers on SMTP-over-SSL port 465, but NOT with STARTTLS on port 25 ! Thanks again, Gerald PS: It's really great to have a lot of knobs. But most users will never notice all the knobs, therefore - if possible - security settings should provide the best security by default. [ at least from the perspective of a non-US-citizen, your opinion on this may vary if you belong to the country who does the spying instead of living in the country being spied on :-) ] On 21.08.2013 03:09, Sam Varshavchik wrote: Sam Varshavchik writes: Gerald Hopf writes: default. If even the official courier-mta.org MX server doesn't have this correctly enabled, I somehow doubt anyone else does... And somehow dovecot/postfix seem to manage to have this as default without generation special DH parameter files ? It's two opposite philosophies. You can either try to do everything automatically and by default. But, if the default rules don't work for someone, there's little they can do. Or, provide a knob for every setting, putting you in charge and full control of everything. You have more work to do, but you have more flexibility. I don't know offhand why you cannot get the ciphers you want. All the moving pieces should be in place. The DH parameters should get loaded, if they exist. I'll try to do some tinkering later, myself. Ok, here's exactly what I mean. In your esmtpd-ssl, imapd-ssl, or pop3-ssl configuration file, set the TLS_DHCERTFILE setting to the file that has your DH parameters, in PEM format. It can be the same file as the TLS_CERTFILE. Results: Version: TLSv1/SSLv3 Bits: 256 Cipher: DHE-RSA-AES256-SHA -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Thanks for the quick reply! On 20.08.2013 01:34, Sam Varshavchik wrote: I do not see the connection between PFS and these two specific key exchange protocols. PFS is just a generic concept, not tied to any particular technology. To my knowledge the ciphers starting with DHE and ECDHE are the only ones implementing this type of key echange. When reading articles on this topic (there are quite a few), those are always the ones mentioned that you should have and look for. I don't think there are any other key exchange protocols in openssl besides those two that implement this. In addition to TLS_CIPHER_LIST, the list of available ciphers also depends on your certificate file. Except I've got exactly the SAME certificate file in my dovecot configuration and connecting to the dovecot ports works with DHE/ECDHE. Courier: Protocol : TLSv1.2 / Cipher: AES256-GCM-SHA384 Dovecot: Protocol : TLSv1.2 / Cipher: DHE-RSA-AES256-GCM-SHA384 On another server I've got a very similiar certificate file (from the same CA, just for a different domain) in use on Postfix for SMTP (where PFS works with STARTTLS) and in Zarafa (a Linux Exchange replacement) where PFS doesn't work. So on this other system also the server software also determines what gets used and not the certificate. I don't recall offhand if you are required to use a DH certificate, instead of an RSA certificate, or if having DH parameters is sufficient. Use 'openssl dhparams to generate a set of new DH parameters, and append them to your certificate file, and see if it helps. If not, try creating a new DH certificate. dhparams doesn't list anything containing DHE or ECDHE. I don't think it has anything to do with the certificate file. No article I've read on this ever mentioned that this depends on the certificate file. Do you know of any courier servers where openssl s_client -connect domain.net:465 (probably also the same for IMAPS and POP3S ports) shows that a connection was made using Cipher: that starts with DHE or ECDHE? I would seriously doubt that such a thing does exist :-) openssl s_client -starttls smtp -connect mailx.courier-mta.com:25 = Protocol : TLSv1.2 / Cipher: AES256-GCM-SHA384 = No DHE/ECDHE capability on the MX for courier-mta.org ! Gerald -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Gerald Hopf writes: I don't recall offhand if you are required to use a DH certificate, instead of an RSA certificate, or if having DH parameters is sufficient. Use 'openssl dhparams to generate a set of new DH parameters, and append them to your certificate file, and see if it helps. If not, try creating a new DH certificate. dhparams doesn't list anything containing DHE or ECDHE. I don't think it has anything to do with the certificate file. No article I've read on this ever mentioned that this depends on the certificate file. openssl dhparams generates DH parameters. couriertls checks if the certificate file contains DH parameters, and if so, they get loaded. As you know, Courier reads both the private key and the certificate from the same file. PEM-formatted files may have multiple contents, like a private key and a certificate. And DH parameters. I wrote: Use 'openssl dhparams to generate a set of new DH parameters, and append them to your certificate file, and see if it helps. Did you do that? pgpmpW9SnTFQA.pgp Description: PGP signature -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
openssl dhparams generates DH parameters. couriertls checks if the certificate file contains DH parameters, and if so, they get loaded. As you know, Courier reads both the private key and the certificate from the same file. PEM-formatted files may have multiple contents, like a private key and a certificate. And DH parameters. I wrote: Use 'openssl dhparams to generate a set of new DH parameters, and append them to your certificate file, and see if it helps. Did you do that? Sorry, I had not fully understood what I was supposed to do and got confused by the output of openssl dhparams (which because my terminal window was too small had omitted the openssl:Error: 'dhparams' is an invalid command at the top and I was under the impression that the list of Cipher commands was actually the output of this command and not just a general list of options displayed for a wrong parameter - my openssl knowledge barely goes beyond copypaste) Searching for the dhparm syntax (without the s in the end) I found this excellent guide that even mentions courier specifically: https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/ Following this guide, I ran openssl dhparam -out dhparams.pem 2048 and cat dhparams.pem esmtpd.pem and /etc/init.d/courier restart but nothing has changed. I then also tried it with a custom cipher list (EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 and I also tried DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL) but that didn't change things either with the new DH PARAMETERS section at the end of the PEM file . So it's still not working. Thank you very much for helping me jump through those hoops though! But I somehow doubt that many people would do that, even if it were documented and working. The excellent guide I linked to a few lines earlier says: If you find any application which exhibits this problem, please file a bug report and convince the maintainers to at least generate a warning to the user and state the consequences in the documentation. If you are a developer of an application which uses OpenSSL please consider shipping install scripts that generate dhparams or generate them on the fly if they are missing. Please do not just let OpenSSL silently disable a key feature of SSL. While DHE/ECDGE do carry some performance penalty, according to: http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html it's only 15-27% for ECDHE (more for DHE). I would suggest that in the age of cheap multi-core CPUs (and in the age of a certain agency snooping through pretty much the entire internet traffic - at least from my european perspective) such a low performance penalty is not reason enough to make a not-as-secure SSL option the default. If even the official courier-mta.org MX server doesn't have this correctly enabled, I somehow doubt anyone else does... And somehow dovecot/postfix seem to manage to have this as default without generation special DH parameter files ? Gerald -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Gerald Hopf writes: default. If even the official courier-mta.org MX server doesn't have this correctly enabled, I somehow doubt anyone else does... And somehow dovecot/postfix seem to manage to have this as default without generation special DH parameter files ? It's two opposite philosophies. You can either try to do everything automatically and by default. But, if the default rules don't work for someone, there's little they can do. Or, provide a knob for every setting, putting you in charge and full control of everything. You have more work to do, but you have more flexibility. I don't know offhand why you cannot get the ciphers you want. All the moving pieces should be in place. The DH parameters should get loaded, if they exist. I'll try to do some tinkering later, myself. pgpLt5xaNwKmN.pgp Description: PGP signature -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Sam Varshavchik writes: Gerald Hopf writes: default. If even the official courier-mta.org MX server doesn't have this correctly enabled, I somehow doubt anyone else does... And somehow dovecot/postfix seem to manage to have this as default without generation special DH parameter files ? It's two opposite philosophies. You can either try to do everything automatically and by default. But, if the default rules don't work for someone, there's little they can do. Or, provide a knob for every setting, putting you in charge and full control of everything. You have more work to do, but you have more flexibility. I don't know offhand why you cannot get the ciphers you want. All the moving pieces should be in place. The DH parameters should get loaded, if they exist. I'll try to do some tinkering later, myself. Ok, here's exactly what I mean. In your esmtpd-ssl, imapd-ssl, or pop3-ssl configuration file, set the TLS_DHCERTFILE setting to the file that has your DH parameters, in PEM format. It can be the same file as the TLS_CERTFILE. Results: Version: TLSv1/SSLv3 Bits: 256 Cipher: DHE-RSA-AES256-SHA pgpYruTCphzga.pgp Description: PGP signature -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Hi. Am 21.08.2013 03:09, schrieb Sam Varshavchik: Ok, here's exactly what I mean. In your esmtpd-ssl, imapd-ssl, or pop3-ssl configuration file, set the TLS_DHCERTFILE setting to the file that has your DH parameters, in PEM format. It can be the same file as the TLS_CERTFILE. Thanks for your hints, I could follow them and have PFS running on my testing machine now. But one thing is weird: I had to put dhparams in the same file as the regular cert and reference this one on TLS_DHCERTFILE. At my first try, I put dhparams in a separate file. This lead to TLS being unavailable completely with this error: couriertls: /etc/ssl/private/dhparams.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line Just putting the dhparams at the end of the cert-PEM and using this as TLS_DHCERTFILE fixed it. Bernd signature.asc Description: OpenPGP digital signature -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] Perfect Forward Secrecy - please implement this on courier
Perfect forward secrecy (PFS) is a property of the key-agreement protocol that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future (Source: http://en.wikipedia.org/wiki/Perfect_forward_secrecy) The problem: Courier does unfortunately NOT use forward secrecy. Whether PFS is in use can be checked with: openssl s_client -starttls smtp -connect your-host.net:25 openssl s_client -connect your-host.net:465 = in the output the line Cipher: must contain either DHE or ECDHE if forward secrecy is active. I've tried changing the option TLS_CIPHER_LIST in esmtpd and esmtpd-ssl using the cipher list from dovecot (ALL:!LOW:!SSLv2:!EXP:!aNULL) as well as the cipher list recommended in a discussion from late 2012 on the courier-imap list (http://sourceforge.net/mailarchive/forum.php?thread_name=cone.1353972661.237590.10550.1000%40monster.email-scan.comforum_name=courier-imap) but this has not changed the problem. I've therefore not been able to get courier to use the secure key exchange ciphers (DHE*, ECDHE*). Will this security problem get fixed anytime soon (or do I have to move to postfix which does this just fine, just like dovecot)? If it can be fixed with a different TLS_CIPHER_LIST please make this new cipher list the default. I have however been unable to do so, but this may be just my stupidity :-) Gerald PS: I'm running courier 0.69 on Gentoo Linux 64Bit. Openssl version is 1.0.1c, I've not tried Courier with GnuTLS. I have however now updated to Courier 0.71 and it has not changed anything. -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Perfect Forward Secrecy - please implement this on courier
Gerald Hopf writes: Perfect forward secrecy (PFS) is a property of the key-agreement protocol that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future (Source: http://en.wikipedia.org/wiki/Perfect_forward_secrecy) The problem: Courier does unfortunately NOT use forward secrecy. Whether PFS is in use can be checked with: openssl s_client -starttls smtp -connect your-host.net:25 openssl s_client -connect your-host.net:465 = in the output the line Cipher: must contain either DHE or ECDHE if forward secrecy is active. I do not see the connection between PFS and these two specific key exchange protocols. PFS is just a generic concept, not tied to any particular technology. I've tried changing the option TLS_CIPHER_LIST in esmtpd and esmtpd-ssl using the cipher list from dovecot (ALL:!LOW:!SSLv2:!EXP:!aNULL) as well as the cipher list recommended in a discussion from late 2012 on the courier-imap list (http://sourceforge.net/mailarchive/forum.php?thread_name=cone. 1353972661.237590.10550.1000%40monster.email-scan.comforum_name=courier- imap) but this has not changed the problem. In addition to TLS_CIPHER_LIST, the list of available ciphers also depends on your certificate file. I don't recall offhand if you are required to use a DH certificate, instead of an RSA certificate, or if having DH parameters is sufficient. Use 'openssl dhparams to generate a set of new DH parameters, and append them to your certificate file, and see if it helps. If not, try creating a new DH certificate. pgp8pV52G2IS5.pgp Description: PGP signature -- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users