Re: Enable SSLv3 from a specific IP

[Viktor Dukhovni]

On Sat, Sep 24, 2022 at 01:22:30PM +0200, Lists Nethead wrote:

> I am tasked with what the subject says, to enable
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
> from a specific IP.

Note that while the cipher was first defined for use in SSLv3, it
continues to be applicable in TLS 1.0, 1.1 and even 1.2.  For
example, on FreeBSD 12.3 system with OpenSSL 1.1.1 I get:

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS+SHA1+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

While on a Fedora 36 system no such ciphers are available

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS:@SECLEVEL=0
$

So if you OpenSSL library does not support the cipher, you're out of
luck.

However, even if does that cipher can only be negotiated on a server
that has a DSA (a.k.a. DSS) certificate.  So you'd need to configure
either only a DSA certificate, or both a DSA and an RSA certificate.

That's all that's required.  Postfix is fairly liberal in the list of
ciphers it supports, because SMTP typically uses unauthenticated
opportunistic TLS, and turning up the ciphers to 11 is mostly
counterproductive.

> I suppose that must be a lookup table but unsure about the syntax. Or,  
> is smtpd_discard_ehlo_keyword_address_maps the way to go?

It is not possible to configure fine-grained TLS settings by client
IP directly in Postfix.  You'd have to use iptables or similar to
map connections from the client in question to an alternative SMTP
port, for which in master.cf you configure appropriate settings.

You probably do not need a dedicated port, just configure both an
RSA and a DSA certificate.  Why you'd want to do this is a mystery,
an SMTP client that only supports DSS is rather a museum piece.

If the client in fact only supports SSL 3.0 (even more ancient), then
you'd need to have an OpenSSL version that has not disabled SSL 3.0:

$ openssl ciphers -v -s -ssl3 kDHE+aDSS+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

and to change the default value of "smtpd_tls_protocols":

# Postfix 3.6 or later:
smtpd_tls_protocols = >=SSLv3

# Older Postfix
smtpd_tls_protocols = !SSLv2

-- 
Viktor.

Re: Enable SSLv3 from a specific IP

[Benny Pedersen]

Lists Nethead skrev den 2022-09-24 13:22:

Hello Postfix users,

I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.


why ?


I suppose that must be a lookup table but unsure about the syntax. Or,
 is smtpd_discard_ehlo_keyword_address_maps the way to go?


irellevant



Thankful for a pointer.


sparse info gives sparse answer

https://askubuntu.com/questions/893155/simple-way-of-enabling-sslv2-and-sslv3-in-openssl

please verify if you still have an openssl that support it, if its 
compile time disabled please dont use

Enable SSLv3 from a specific IP

[Lists Nethead]

Hello Postfix users,

I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.

I suppose that must be a lookup table but unsure about the syntax. Or,  
is smtpd_discard_ehlo_keyword_address_maps the way to go?


Thankful for a pointer.

Best,
Per