subject:"Enable SSLv3 from a specific IP"

Re: Enable SSLv3 from a specific IP

2022-09-27 Thread Lists Nethead

Quoting Viktor Dukhovni :

On Sun, Sep 25, 2022 at 10:24:23AM +0200, Lists Nethead wrote:

> You probably do not need a dedicated port, just configure both an
> RSA and a DSA certificate.  Why you'd want to do this is a mystery,
> an SMTP client that only supports DSS is rather a museum piece.

Thank you Viktor for this explanation, really helpful, I will go with
the iptables suggestion (or in our case pf). The OS is FreeBSD 12 so
it should be doable.

Are you sure you need a dedicated port?  Are you trying to avoid
configuring an additional DSA certificate on the default port?

In any case, your call.  Yes remapping the client a non-default
port via a packet filter will give you enough rope.

It will be re-mapped to a different smtp server altoghter, because we  
know the sending IP's it is easy to restrict access.

Thanks,
Per

Re: Enable SSLv3 from a specific IP

2022-09-25 Thread Viktor Dukhovni

On Sun, Sep 25, 2022 at 10:24:23AM +0200, Lists Nethead wrote:

> > You probably do not need a dedicated port, just configure both an
> > RSA and a DSA certificate.  Why you'd want to do this is a mystery,
> > an SMTP client that only supports DSS is rather a museum piece.
> 
> Thank you Viktor for this explanation, really helpful, I will go with  
> the iptables suggestion (or in our case pf). The OS is FreeBSD 12 so  
> it should be doable.

Are you sure you need a dedicated port?  Are you trying to avoid
configuring an additional DSA certificate on the default port?

In any case, your call.  Yes remapping the client a non-default
port via a packet filter will give you enough rope.

-- 
Viktor.

Re: Enable SSLv3 from a specific IP

2022-09-25 Thread Lists Nethead




Quoting Viktor Dukhovni :


On Sat, Sep 24, 2022 at 01:22:30PM +0200, Lists Nethead wrote:


I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.


Note that while the cipher was first defined for use in SSLv3, it
continues to be applicable in TLS 1.0, 1.1 and even 1.2.  For
example, on FreeBSD 12.3 system with OpenSSL 1.1.1 I get:

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS+SHA1+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

While on a Fedora 36 system no such ciphers are available

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS:@SECLEVEL=0
$

So if you OpenSSL library does not support the cipher, you're out of
luck.

However, even if does that cipher can only be negotiated on a server
that has a DSA (a.k.a. DSS) certificate.  So you'd need to configure
either only a DSA certificate, or both a DSA and an RSA certificate.

That's all that's required.  Postfix is fairly liberal in the list of
ciphers it supports, because SMTP typically uses unauthenticated
opportunistic TLS, and turning up the ciphers to 11 is mostly
counterproductive.


I suppose that must be a lookup table but unsure about the syntax. Or,
is smtpd_discard_ehlo_keyword_address_maps the way to go?


It is not possible to configure fine-grained TLS settings by client
IP directly in Postfix.  You'd have to use iptables or similar to
map connections from the client in question to an alternative SMTP
port, for which in master.cf you configure appropriate settings.

You probably do not need a dedicated port, just configure both an
RSA and a DSA certificate.  Why you'd want to do this is a mystery,
an SMTP client that only supports DSS is rather a museum piece.

If the client in fact only supports SSL 3.0 (even more ancient), then
you'd need to have an OpenSSL version that has not disabled SSL 3.0:

$ openssl ciphers -v -s -ssl3 kDHE+aDSS+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

and to change the default value of "smtpd_tls_protocols":

# Postfix 3.6 or later:
smtpd_tls_protocols = >=SSLv3

# Older Postfix
smtpd_tls_protocols = !SSLv2


Thank you Viktor for this explanation, really helpful, I will go with  
the iptables suggestion (or in our case pf). The OS is FreeBSD 12 so  
it should be doable.


Thanks again,
Per

Re: Enable SSLv3 from a specific IP

2022-09-24 Thread Viktor Dukhovni

On Sat, Sep 24, 2022 at 01:22:30PM +0200, Lists Nethead wrote:

> I am tasked with what the subject says, to enable
> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
> from a specific IP.

Note that while the cipher was first defined for use in SSLv3, it
continues to be applicable in TLS 1.0, 1.1 and even 1.2.  For
example, on FreeBSD 12.3 system with OpenSSL 1.1.1 I get:

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS+SHA1+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

While on a Fedora 36 system no such ciphers are available

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS:@SECLEVEL=0
$

So if you OpenSSL library does not support the cipher, you're out of
luck.

However, even if does that cipher can only be negotiated on a server
that has a DSA (a.k.a. DSS) certificate.  So you'd need to configure
either only a DSA certificate, or both a DSA and an RSA certificate.

That's all that's required.  Postfix is fairly liberal in the list of
ciphers it supports, because SMTP typically uses unauthenticated
opportunistic TLS, and turning up the ciphers to 11 is mostly
counterproductive.

> I suppose that must be a lookup table but unsure about the syntax. Or,  
> is smtpd_discard_ehlo_keyword_address_maps the way to go?

It is not possible to configure fine-grained TLS settings by client
IP directly in Postfix.  You'd have to use iptables or similar to
map connections from the client in question to an alternative SMTP
port, for which in master.cf you configure appropriate settings.

You probably do not need a dedicated port, just configure both an
RSA and a DSA certificate.  Why you'd want to do this is a mystery,
an SMTP client that only supports DSS is rather a museum piece.

If the client in fact only supports SSL 3.0 (even more ancient), then
you'd need to have an OpenSSL version that has not disabled SSL 3.0:

$ openssl ciphers -v -s -ssl3 kDHE+aDSS+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

and to change the default value of "smtpd_tls_protocols":

# Postfix 3.6 or later:
smtpd_tls_protocols = >=SSLv3

# Older Postfix
smtpd_tls_protocols = !SSLv2

-- 
Viktor.

Re: Enable SSLv3 from a specific IP

2022-09-24 Thread Benny Pedersen


Lists Nethead skrev den 2022-09-24 13:22:

Hello Postfix users,

I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.


why ?


I suppose that must be a lookup table but unsure about the syntax. Or,
 is smtpd_discard_ehlo_keyword_address_maps the way to go?


irellevant



Thankful for a pointer.


sparse info gives sparse answer

https://askubuntu.com/questions/893155/simple-way-of-enabling-sslv2-and-sslv3-in-openssl

please verify if you still have an openssl that support it, if its 
compile time disabled please dont use

Enable SSLv3 from a specific IP

2022-09-24 Thread Lists Nethead


Hello Postfix users,

I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.

I suppose that must be a lookup table but unsure about the syntax. Or,  
is smtpd_discard_ehlo_keyword_address_maps the way to go?


Thankful for a pointer.

Best,
Per

Re: Enable SSLv3 from a specific IP

Re: Enable SSLv3 from a specific IP

Re: Enable SSLv3 from a specific IP

Re: Enable SSLv3 from a specific IP

Re: Enable SSLv3 from a specific IP

Enable SSLv3 from a specific IP

6 matches

Site Navigation

Mail list logo

Footer information