Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
On Fri, 19 Sep 2014 20:56:26 -0400 Sam Varshavchik mr...@courier-mta.com wrote: I just ran a test, and on a medium-powered server, it took 2 minutes to generate a 2048-bit parameter. That's not too bad, I suppose. A new install will have to generate that the first time the server gets started, and things will pretty much come to a halt, until that's done and over with. Will have to make that prominent, somewhere… If you're worried about generation time: DH parameters are neither secret nor is there a problem in sharing the same parameters amongst several hosts. From a cryptographic perspective there wouldn't be a problem in pre-generating one set of DH params and shipping them as the default with all courier installations. Btw, is there currently a way of using ECDH-ciphersuites with courier? -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
Hanno Böck writes: On Fri, 19 Sep 2014 20:56:26 -0400 Sam Varshavchik mr...@courier-mta.com wrote: I just ran a test, and on a medium-powered server, it took 2 minutes to generate a 2048-bit parameter. That's not too bad, I suppose. A new install will have to generate that the first time the server gets started, and things will pretty much come to a halt, until that's done and over with. Will have to make that prominent, somewhere… If you're worried about generation time: DH parameters are neither secret nor is there a problem in sharing the same parameters amongst several hosts. From a cryptographic perspective there wouldn't be a problem in pre-generating one set of DH params and shipping them as the default with all courier installations. Btw, is there currently a way of using ECDH-ciphersuites with courier? Casual browsing of OpenSSL and GnuTLS documentation suggests that some additional code configuration and setup is needed for that; but it's not really not quite clear exactly what. pgpJBuOODqoY8.pgp Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
Hanno Böck writes: Hi, I recently tried to test the latest courier snapshots (due to the spf fixes) on one of our servers, however it doesn't really work. When I try to connect with openssl to the smtp-port (25) via starttls I seem to get a connection, however it's instantly terminated. I see this in the logs: Sep 19 17:56:45 backup1 courieresmtpd: courieresmtpd: STARTTLS failed: couriertls: /etc/ssl/private/courier.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line I saw that just recently someone had the same error and it was caused by Windows/DOS-style End of Line-Characters: http://georgik.sinusgear.com/2014/07/24/couriertls-etccourieresmtpd-pem- error0906d06cpem-routinespem_read_biono-start-line/ However I checked, my cert/pem-file has no windows-eol-chars. Is there anything else that has changed regarding cert parsing? It's just the cert and the key concatenated, nothing special. The certificate file is getting rejected by the OpenSSL library. That's where this error is coming from. Try generating a self-signed file using the mkesmtpdcert script. If it works, then compare the general format of the file with what you have. pgpgsCWRKxhAi.pgp Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
On Fri, 19 Sep 2014 18:50:51 -0400 Sam Varshavchik mr...@courier-mta.com wrote: The certificate file is getting rejected by the OpenSSL library. That's where this error is coming from. I now found out what is wrong. It seems courier now needs dh params either in the pem file or separately via TLS_DHPARAMS. We didn't have them in our config yet. However, while looking at this I found something worrying: It seems the mkdhparams script defaults to 768 bit and the mkesmtpd script defaults to 512 bit DH params. That's completely and utterly insecure. It's insecure in a way that this is practically breakable on a normal home PC these days. I'd strongly advise to raise these defaults to 2048, which is a reasonable value these days. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] problems with esmtpd / cert / pem reading after update to latest snapshot (no start line)
Hanno Böck writes: On Fri, 19 Sep 2014 18:50:51 -0400 Sam Varshavchik mr...@courier-mta.com wrote: The certificate file is getting rejected by the OpenSSL library. That's where this error is coming from. I now found out what is wrong. It seems courier now needs dh params either in the pem file or separately via TLS_DHPARAMS. We didn't have them in our config yet. However, while looking at this I found something worrying: It seems the mkdhparams script defaults to 768 bit and the mkesmtpd script defaults to 512 bit DH params. That's completely and utterly insecure. I'm going to drop the bit that generates DH params in the cert file, that's no longer needed. That used to be the case, until the DH parameters were moved to a separate file; and right now the separate file gets checked first; the code that tries the cert as a fallback is only there in case someone has an old config, and doesn't bother to refresh the cert file. It's insecure in a way that this is practically breakable on a normal home PC these days. I'd strongly advise to raise these defaults to 2048, which is a reasonable value these days. Most SMTP servers use self-signed certs, and, consequently will not verify that a peer's cert is signed by a trusted CA. This certainly doesn't help things. I just ran a test, and on a medium-powered server, it took 2 minutes to generate a 2048-bit parameter. That's not too bad, I suppose. A new install will have to generate that the first time the server gets started, and things will pretty much come to a halt, until that's done and over with. Will have to make that prominent, somewhere… pgpdeqhzi7ht6.pgp Description: PGP signature -- Slashdot TV. Video for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471iu=/4140/ostg.clktrk___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
