Re: SSL/TLS

[SSL]

very sorry , i forgot to write URL .
it is http://aoiyuma.mydns.jp/mydns-MS.html

On 2015e9407f29f% 06:22, SSL wrote:

Hi all .
following the advices that I received in the past , Itry to put together .

I think that there aremistakes.
Please point out at that time.

In addition, please use the translation site because this is written 
in Japanese.


For example,
https://translate.google.co.jp/?hl=ja
--
tuyosi takesima

Re: SSL/TLS

[SSL]

Hi all .
following the advices that I received in the past ,  Itry to put together .

I think that there aremistakes.
Please point out at that time.

In addition, please use the translation site because this is written in 
Japanese.


For example,
https://translate.google.co.jp/?hl=ja
--
tuyosi takesima

Re: SSL/TLS

[SSL]

i rewrite  smtpd.conf by auth-optional
this one allow to mail to & from gmail.com .

-by https://www.opensmtpd.org/smtpd.conf.5.html
If *auth-optional* is specified, then SMTPAUTH is not required to 
establish an SMTP transaction. This is only useful to let a listener 
accept incoming mail from untrusted senders and outgoing mail from 
authenticated users in situations where it is not possible to listen on 
the submission port.
Both *auth* and *auth-optional* accept an optional table as a parameter. 
When provided, credentials are looked up in this table. Credentials 
format is described in table(5).

---

how about this ?

pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt"
pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key"
listen on lo0
listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth-optional
listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth-optional
listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth-optional
table aliases db:/etc/mail/aliases.db
accept from any for domain "aoiyuma.mydns.jp"   alias  
deliver to maildir
accept from any for domain "aoiyuma.mydns.jp"   
deliver to maildir
accept for localalias  
deliver to maildir
accept for local
deliver to maildir

mynetwork1 = "6.2.6.2/32"
mynetwork2 = "114.22.25.247/32"
accept from source $mynetwork1 for any relay
accept from source $mynetwork2 for any relay
accept from local for any relay

Re: SSL/TLS

[Herbert J. Skuhra]

On Tue, Jul 28, 2015 at 09:05:24PM +0900, tuyosi wrote:
> 
> 
> On 2015e9407f28f% 20:50, Denis Fondras wrote:
> >>are there open relay when ' accept from local for any relay' is replaced .
> >>
> >Nope !
> >"from local" means that only the machine running OpenSMTPd or any
> >*authenticated* client can relay.
> >
> >Moreover, if no rule is matching then OpenSMTPd rejects the mail (default
> >setting = secure setting)
> >
> kind advice .
> 
> surely   i can send mail from x...@aoiyuma.mydns.jp to y...@gmail.com 
> .
> 
> 
> strangely  i cannot send mail from Y@gmailto
> x...@aoiyuma.mydns.jp .
> -
> 
> Delivery to the following recipient failed permanently:
> 
>  tuy...@aoiyuma.mydns.jp
> 
> Technical details of permanent failure:
> Google tried to deliver your message, but it was rejected by the server for 
> the recipient domain aoiyuma.mydns.jp by mail.aoiyuma.mydns.jp. 
> [157.7.208.141].
> 
> The error that the other server returned was:
> 530 5.5.1 Invalid command: Must issue an AUTH command first

You have:

listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth

From smtpd.conf(5):

If the auth parameter is used, then a client may only start an SMTP transaction
after a successful authentication. Any remote sender that passed SMTPAUTH is
treated as if it was the server's local user that was sending the mail. This
means that filter rules using from local will be matched. If auth-optional is
specified, then SMTPAUTH is not required to establish an SMTP transaction. This
is only useful to let a listener accept incoming mail from untrusted senders
and outgoing mail from authenticated users in situations where it is not
possible to listen on the submission port.

And I think you want smtps on port 465 not tls!

-- 
Herbert

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[tuyosi]

On 2015e9407f28f% 20:50, Denis Fondras wrote:

are there open relay when ' accept from local for any relay' is replaced .


Nope !
"from local" means that only the machine running OpenSMTPd or any
*authenticated* client can relay.

Moreover, if no rule is matching then OpenSMTPd rejects the mail (default
setting = secure setting)


kind advice .

surely   i can send mail from x...@aoiyuma.mydns.jp to y...@gmail.com .


strangely  i cannot send mail from Y@gmailto 
x...@aoiyuma.mydns.jp .

-

Delivery to the following recipient failed permanently:

 tuy...@aoiyuma.mydns.jp

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the 
recipient domain aoiyuma.mydns.jp by mail.aoiyuma.mydns.jp. [157.7.208.141].

The error that the other server returned was:
530 5.5.1 Invalid command: Must issue an AUTH command first



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[Denis Fondras]

> are there open relay when ' accept from local for any relay' is replaced .
> 

Nope !
"from local" means that only the machine running OpenSMTPd or any
*authenticated* client can relay.

Moreover, if no rule is matching then OpenSMTPd rejects the mail (default
setting = secure setting)

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[SSL]

On 2015e9407f28f% 19:18, Mariano Baragiola wrote:

In my experience, Thunderbird auto-configuration is not good.

Configure it manually, choosing STARTTLS as the encryption method.


thanks lot .

i rewrite smtpd.conf


pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt"
pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key"

listen on lo0
listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth

table aliases db:/etc/mail/aliases.db
accept from any for domain "aoiyuma.mydns.jp"   alias  
deliver to maildir
accept from any for domain "aoiyuma.mydns.jp"   
deliver to maildir
accept for localalias  
deliver to maildir
accept for local
deliver to maildir

mynetwork1 = "61.214.236.211/32"
mynetwork2 = "114.22.25.247/32"
accept from source $mynetwork1 for any relay
accept from source $mynetwork2 for any relay

#reject from any for any
accept from local for any relay  <- this line
accept from local for any relay
---
then i send mail y...@gmail.com .


my failure was 'reject from any for any' .
are there open relay when ' accept from local for any relay' is replaced .







--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[SSL]

i follow you .

On 2015e9407f28f% 19:18, Mariano Baragiola wrote:

In my experience, Thunderbird auto-configuration is not good.

Configure it manually, choosing STARTTLS as the encryption method.


surely i can send mail from x...@aoiyuma.mydns.jp   to x...@aoiyuma.mydns.jp
but cannod send mail   from x...@aoiyuma.mydns.jp   to y...@gmail.com
(previously can send )

 tail /var/log/maillog

Jul 29 04:36:36 aoiyuma smtpd[13370]: smtp-in: Closing session 
0d8c97396558bc0b


Jul 29 04:36:49 aoiyuma smtpd[13370]: smtp-in: New session 
0d8c973acd272d09 from host e0109-114-22-25-247.uqwimax.jp [114.22.25.247]


Jul 29 04:36:49 aoiyuma smtpd[13370]: smtp-in: Started TLS on session 
0d8c973acd272d09: version=TLSv1/SSLv3, 
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128


Jul 29 04:36:50 aoiyuma smtpd[13370]: smtp-in: Accepted authentication 
for user tuyosi on session 0d8c973acd272d09


Jul 29 04:36:50 aoiyuma smtpd[13370]: smtp-in: Failed command on session 
0d8c973acd272d09: "RCPT TO:" => 550 Invalid recipient

^
Jul 29 04:36:52 aoiyuma smtpd[13370]: smtp-in: Closing session 
0d8c973acd272d09




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[Mariano Baragiola]

In my experience, Thunderbird auto-configuration is not good.

Configure it manually, choosing STARTTLS as the encryption method.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[SSL]

thanks for advices .

i rewite smtpd.conf

pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt"
pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key"
listen on lo0
listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth
table aliases db:/etc/mail/aliases.db
accept from any for domain "aoiyuma.mydns.jp"   alias  
deliver to maildir
accept from any for domain "aoiyuma.mydns.jp"   
deliver to maildir
accept for localalias  
deliver to maildir
accept for local
deliver to maildir

mynetwork1 = "6.2.6.2/32"
mynetwork2 = "114.22.25.247/32"
accept from source $mynetwork1 for any relay
accept from source $mynetwork2 for any relay
reject from any for any

thunderbird automativally detects mail server .
about smtp
---
authentification nethod : passeword , transmitted insecurely
conectio security:none

perhaps TLS does not run .

so
--
accept for local alias  deliver to mda "/usr/local/bin/maildrop 
-f -"

accept from any for domain aoiyuma.mydns.jp \
deliver to mda "/usr/local/bin/maildrop -f -"
or like is needed ?

-
regards




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[Denis Fondras]

Are you really sure you want to open-relay your server to .JP ?
If not, remove this line :

> accept from source  for any relay

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: SSL/TLS

[Seth]

On Mon, 27 Jul 2015 19:40:39 -0700, SSL  wrote:

i am afraid of being attacked .
so i want to limit PCs in japan only (if japanese PC is hacked , this  
setting in not safe ) .


It would probably be more appropriate and effective to use a firewall such  
as OpenBSD's pf to accomplish this goal. OpenBSD also provides spamd  
which, along with a few selected real time black lists added to the mix,  
makes a very effective spam filter.



but i want to use conection secrity SSL/TLS .
how to do it ?


The smptd.conf(5) man page documents key generation in the EXAMPLES  
section near the end.


 In this second example, the aim is to permit mail relaying for any  
user

 that can authenticate using their normal login credentials.  An RSA
 certificate must be provided to prove the server's identity.  The mail
 server listens on all interfaces the default route(s) point to.  Mail
 with a local destination should be sent to an external mda.  First,  
the

 RSA certificate is created:

   # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
   # openssl req -new -x509 -key  
/etc/ssl/private/mail.example.com.key \

   -out /etc/ssl/mail.example.com.crt -days 365
   # chmod 600 /etc/ssl/mail.example.com.crt
   # chmod 600 /etc/ssl/private/mail.example.com.key

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

SSL/TLS

[SSL]

hi all .

i am afraid of being attacked .
so i want to limit PCs in japan only (if japanese PC is hacked , this 
setting in not safe ) .


i look at https://ipv4.fetus.jp/
and download as jp.txt

tr '\n' ' '  jp3

cat jp3
1.0.16.0/20 1.0.64.0/18 1.1.64.0/18 1.5.0.0/16 1.21.0.0/16 1.33.0.0/16 
1.66.0.0/15 1.72.0.0/13 1.112.0.0/14 14.0.8.0/22 14.1.4.0/22 14.1.8.0/21 
14.3.0.0/16 14.8.0.0/13 14.101.0.0/16 14.102.132.0/22 14.102.192.0/19 etc


makemap jp3

smtpd.conf
listen on lo0
listen on em0 port 25
listen on em0 port 465
listen on em0 port 587
table aliases db:/etc/mail/aliases.db
table jp3 db:/etc/mail/jp3.db
accept from any for domain "aoiyuma.mydns.jp"   alias  
deliver to maildir
accept from any for domain "aoiyuma.mydns.jp"   
deliver to maildir
accept for localalias  
deliver to maildir
accept for local
deliver to maildir

accept from source  for any relay
reject from any for any

in this setting i can mail to X.gmail.com .

but i want to use conection secrity SSL/TLS .
how to do it ?
-
regards



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[John Cox]

On Mon, 9 Jun 2014 10:16:43 +0200, you wrote:

>On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
>> Hi
>> 
>> >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been
>> >>the case for many years
>> >
>> >To parrot this on all of my various instances OpenSMTPD and not I get tons
>> >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
>> >every now and again I see SSLv2 attempts which for most of my instances get
>> >killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
>> >But seriously for email any transport encryption is better than none and
>> >OpenSMTPD's default should be the best way to handle opportunistic TLS
>> >where you always try to use the highest protocol version supported with the
>> >best ciphers supported, and there shouldnt need to be a knob for it.
>> 
>> Whilst I agree with what you are saying for general purpose mail
>> servers, I can see applications where enforced encryption levels are
>> worth having.  I can see that some company gateways, where they know
>> all of the other endpoints, might wish to enforce appropriate
>> encryption as everybody who should be talking to that MTA should be
>> capable of it and anything else is therefore spam or hacking.  This is
>> particularly plausible on any link where TLS or SSL is already
>> mandatory.
>> 
>
>please define "enforced encryption levels" ?
Tricky - I don't have a specific use case in mind, but I worked on
building a military email system (X.400 based - it was that long ago,
though they may still use it for all I know) and they were pretty keen
on nailing down exactly what was expected on each link.

>pretty much anyone tweaking ssl_ciphers will actually downgrade security
>or/and break interop with other servers. some people may know how to tie
>things further for their specific use-cases but the minute we add a knob
>other people will start using it and shoot themselves in the foot.
Sadly that is the case with pretty much all security, but the lack of
an ability to check/filter based on what security level has been
negotiated means that those people who _do_ know what they are doing
can't.  I'm still annoyed by the general (not smtpd particularly)
impossibility of having usefully functioning CRLs, which are pretty
much a requirement of any PK system but have been generally ignored to
date.

>At the time being we're looking to is to have the bul0k of users safe by
>default and we're looking for more:
>
>   https://twitter.com/Mayeu/status/474109854651785216
>
>"the magic of OpenSMTPD, you do no TLS configuration and you're graded A
> by default <3  (test here: starttls.info)"
I do not disagree

>Im not saying that this will hold true forever but at this point in time
>I would prefer that we dont have ssl_ciphers and that any improvement we
>do is made to the default until we exhausted all possibilities to do so.
Fair enough - I just felt it was worth adding another point of view to
the discussion.

Thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[Gilles Chehade]

yes, but DONT DO THAT unless you know what you're doing.

you have been warned: smtpd is safe by default and provide a SSL_CIPHERS
that has been tested and verified to be safe. changes that seem fine can
effectively break the security and interoperability. unless you know how
openssl/libressl manages cipher lists, and what ciphers are supported by
other peers, you just can't do it right.

also, keep in mind that we don't provide support for users who alter the
code we provide. if you changed SSL_CIPHERS and you hit a MTA bug, we'll
assume the change is responsible for the bug unless we can hit it with a
version of smtpd that's not altered.


On Mon, Jun 09, 2014 at 04:33:13AM -0400, Adam Suhl wrote:
> I think at build time you can fine-tune which ciphers you want by editing 
> ssl.h -- in particular the SSL_CIPHERS define.
> --Adam
> 
> On Mon, 9 Jun 2014, Gilles Chehade wrote:
> 
> > On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
> > > Hi
> > > 
> > > >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been
> > > >>the case for many years
> > > >
> > > >To parrot this on all of my various instances OpenSMTPD and not I get 
> > > >tons
> > > >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
> > > >every now and again I see SSLv2 attempts which for most of my instances 
> > > >get
> > > >killed. I haven't seen one on my OpenSMTPD instance yet but its only 
> > > >time.
> > > >But seriously for email any transport encryption is better than none and
> > > >OpenSMTPD's default should be the best way to handle opportunistic TLS
> > > >where you always try to use the highest protocol version supported with 
> > > >the
> > > >best ciphers supported, and there shouldnt need to be a knob for it.
> > > 
> > > Whilst I agree with what you are saying for general purpose mail
> > > servers, I can see applications where enforced encryption levels are
> > > worth having.  I can see that some company gateways, where they know
> > > all of the other endpoints, might wish to enforce appropriate
> > > encryption as everybody who should be talking to that MTA should be
> > > capable of it and anything else is therefore spam or hacking.  This is
> > > particularly plausible on any link where TLS or SSL is already
> > > mandatory.
> > > 
> > 
> > please define "enforced encryption levels" ?
> > 
> > pretty much anyone tweaking ssl_ciphers will actually downgrade security
> > or/and break interop with other servers. some people may know how to tie
> > things further for their specific use-cases but the minute we add a knob
> > other people will start using it and shoot themselves in the foot.
> > 
> > At the time being we're looking to is to have the bul0k of users safe by
> > default and we're looking for more:
> > 
> >https://twitter.com/Mayeu/status/474109854651785216
> > 
> > "the magic of OpenSMTPD, you do no TLS configuration and you're graded A
> >  by default <3  (test here: starttls.info)"
> > 
> > Im not saying that this will hold true forever but at this point in time
> > I would prefer that we dont have ssl_ciphers and that any improvement we
> > do is made to the default until we exhausted all possibilities to do so.
> > 
> > 
> > -- 
> > Gilles Chehade
> > 
> > https://www.poolp.org  @poolpOrg
> > 
> > -- 
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > 
> > 
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[Adam Suhl]

I think at build time you can fine-tune which ciphers you want by editing 
ssl.h -- in particular the SSL_CIPHERS define.
--Adam

On Mon, 9 Jun 2014, Gilles Chehade wrote:

> On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
> > Hi
> > 
> > >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been
> > >>the case for many years
> > >
> > >To parrot this on all of my various instances OpenSMTPD and not I get tons
> > >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
> > >every now and again I see SSLv2 attempts which for most of my instances get
> > >killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
> > >But seriously for email any transport encryption is better than none and
> > >OpenSMTPD's default should be the best way to handle opportunistic TLS
> > >where you always try to use the highest protocol version supported with the
> > >best ciphers supported, and there shouldnt need to be a knob for it.
> > 
> > Whilst I agree with what you are saying for general purpose mail
> > servers, I can see applications where enforced encryption levels are
> > worth having.  I can see that some company gateways, where they know
> > all of the other endpoints, might wish to enforce appropriate
> > encryption as everybody who should be talking to that MTA should be
> > capable of it and anything else is therefore spam or hacking.  This is
> > particularly plausible on any link where TLS or SSL is already
> > mandatory.
> > 
> 
> please define "enforced encryption levels" ?
> 
> pretty much anyone tweaking ssl_ciphers will actually downgrade security
> or/and break interop with other servers. some people may know how to tie
> things further for their specific use-cases but the minute we add a knob
> other people will start using it and shoot themselves in the foot.
> 
> At the time being we're looking to is to have the bul0k of users safe by
> default and we're looking for more:
> 
>https://twitter.com/Mayeu/status/474109854651785216
> 
> "the magic of OpenSMTPD, you do no TLS configuration and you're graded A
>  by default <3  (test here: starttls.info)"
> 
> Im not saying that this will hold true forever but at this point in time
> I would prefer that we dont have ssl_ciphers and that any improvement we
> do is made to the default until we exhausted all possibilities to do so.
> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 
> 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[Gilles Chehade]

On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
> Hi
> 
> >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been
> >>the case for many years
> >
> >To parrot this on all of my various instances OpenSMTPD and not I get tons
> >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
> >every now and again I see SSLv2 attempts which for most of my instances get
> >killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
> >But seriously for email any transport encryption is better than none and
> >OpenSMTPD's default should be the best way to handle opportunistic TLS
> >where you always try to use the highest protocol version supported with the
> >best ciphers supported, and there shouldnt need to be a knob for it.
> 
> Whilst I agree with what you are saying for general purpose mail
> servers, I can see applications where enforced encryption levels are
> worth having.  I can see that some company gateways, where they know
> all of the other endpoints, might wish to enforce appropriate
> encryption as everybody who should be talking to that MTA should be
> capable of it and anything else is therefore spam or hacking.  This is
> particularly plausible on any link where TLS or SSL is already
> mandatory.
> 

please define "enforced encryption levels" ?

pretty much anyone tweaking ssl_ciphers will actually downgrade security
or/and break interop with other servers. some people may know how to tie
things further for their specific use-cases but the minute we add a knob
other people will start using it and shoot themselves in the foot.

At the time being we're looking to is to have the bul0k of users safe by
default and we're looking for more:

   https://twitter.com/Mayeu/status/474109854651785216

"the magic of OpenSMTPD, you do no TLS configuration and you're graded A
 by default <3  (test here: starttls.info)"

Im not saying that this will hold true forever but at this point in time
I would prefer that we dont have ssl_ciphers and that any improvement we
do is made to the default until we exhausted all possibilities to do so.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[John Cox]

Hi

>>That's not correct no, I get plenty of TLS 1.0 trafic and it has been
>>the case for many years
>
>To parrot this on all of my various instances OpenSMTPD and not I get tons
>of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
>every now and again I see SSLv2 attempts which for most of my instances get
>killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
>But seriously for email any transport encryption is better than none and
>OpenSMTPD's default should be the best way to handle opportunistic TLS
>where you always try to use the highest protocol version supported with the
>best ciphers supported, and there shouldnt need to be a knob for it.

Whilst I agree with what you are saying for general purpose mail
servers, I can see applications where enforced encryption levels are
worth having.  I can see that some company gateways, where they know
all of the other endpoints, might wish to enforce appropriate
encryption as everybody who should be talking to that MTA should be
capable of it and anything else is therefore spam or hacking.  This is
particularly plausible on any link where TLS or SSL is already
mandatory.

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[Clint Pachl]

Gilles Chehade wrote, On 06/08/14 05:40:

On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote:

Is there a way to configure smtpd to only use specified ciphers or limit it
to TLSv1.[12]?

I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's
`ssl_ciphers` or `ssl_protocols` configuration directives.


no, we don't want to make this tunable.

the rationale is that we want to propose the best encryption by default.
if there is a better choice, it should be proposed and discussed openly
as it should become the new default.

yes, it's tempting to provide ssl_ciphers but unless there's a very good
reason to do it, we won't introduce this new knob.


I must agree, I'm in favor of no knob as well.


The reason I ask is because I'm very close to failing my PCI compliance
because of smptd. They score each compliance test from 0 to 9. If any single
score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently
receiving a risk score of 3.9. I have a feeling that in the not too distant
future this particular test will fail.

My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to
information disclosure" because of the initialization vector implementations
in SSLv3 and TLSv1.0.

Thier stated resolution is:

"Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use
block ciphers."


This can certainly be improved without adding ssl_ciphers knob


How? Is there a workaround?



I'm not a mail expert, but my feeling is that secured email hasn't been
widespread until recent years. If any MTAs support encryption, they are
probably using the latest protocols and ciphers.


That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years


I stand corrected. Thanks Gilles.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: How to configure encryption ciphers and SSL/TLS protocols

[Barbier, Jason]

>That's not correct no, I get plenty of TLS 1.0 trafic and it has been
>the case for many years

To parrot this on all of my various instances OpenSMTPD and not I get tons
of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
every now and again I see SSLv2 attempts which for most of my instances get
killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
But seriously for email any transport encryption is better than none and
OpenSMTPD's default should be the best way to handle opportunistic TLS
where you always try to use the highest protocol version supported with the
best ciphers supported, and there shouldnt need to be a knob for it.
-- 
Jason Barbier | jab...@serversave.us
Pro Patria Vigilans

Re: How to configure encryption ciphers and SSL/TLS protocols

[Gilles Chehade]

On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote:
> Is there a way to configure smtpd to only use specified ciphers or limit it
> to TLSv1.[12]?
> 
> I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's
> `ssl_ciphers` or `ssl_protocols` configuration directives.
> 

no, we don't want to make this tunable.

the rationale is that we want to propose the best encryption by default.
if there is a better choice, it should be proposed and discussed openly
as it should become the new default.

yes, it's tempting to provide ssl_ciphers but unless there's a very good
reason to do it, we won't introduce this new knob.


> The reason I ask is because I'm very close to failing my PCI compliance
> because of smptd. They score each compliance test from 0 to 9. If any single
> score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently
> receiving a risk score of 3.9. I have a feeling that in the not too distant
> future this particular test will fail.
>
> My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to
> information disclosure" because of the initialization vector implementations
> in SSLv3 and TLSv1.0.
>
> Thier stated resolution is:
> 
> "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
> Configure SSL/TLS servers to only support cipher suites that do not use
> block ciphers."
>

This can certainly be improved without adding ssl_ciphers knob


> I'm not a mail expert, but my feeling is that secured email hasn't been
> widespread until recent years. If any MTAs support encryption, they are
> probably using the latest protocols and ciphers.
> 

That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

How to configure encryption ciphers and SSL/TLS protocols

[Clint Pachl]

Is there a way to configure smtpd to only use specified ciphers or limit 
it to TLSv1.[12]?


I'm looking for something similar to Dovecot's `ssl_cipher_list` or 
Nginx's `ssl_ciphers` or `ssl_protocols` configuration directives.


The reason I ask is because I'm very close to failing my PCI compliance 
because of smptd. They score each compliance test from 0 to 9. If any 
single score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is 
currently receiving a risk score of 3.9. I have a feeling that in the 
not too distant future this particular test will fail.


My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to 
information disclosure" because of the initialization vector 
implementations in SSLv3 and TLSv1.0.


Thier stated resolution is:

"Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. 
Configure SSL/TLS servers to only support cipher suites that do not use 
block ciphers."


I'm not a mail expert, but my feeling is that secured email hasn't been 
widespread until recent years. If any MTAs support encryption, they are 
probably using the latest protocols and ciphers.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org