Re: SSL/TLS
very sorry , i forgot to write URL . it is http://aoiyuma.mydns.jp/mydns-MS.html On 2015e9407f29f% 06:22, SSL wrote: Hi all . following the advices that I received in the past , Itry to put together . I think that there aremistakes. Please point out at that time. In addition, please use the translation site because this is written in Japanese. For example, https://translate.google.co.jp/?hl=ja -- tuyosi takesima
Re: SSL/TLS
Hi all . following the advices that I received in the past , Itry to put together . I think that there aremistakes. Please point out at that time. In addition, please use the translation site because this is written in Japanese. For example, https://translate.google.co.jp/?hl=ja -- tuyosi takesima
Re: SSL/TLS
i rewrite smtpd.conf by auth-optional this one allow to mail to & from gmail.com . -by https://www.opensmtpd.org/smtpd.conf.5.html If *auth-optional* is specified, then SMTPAUTH is not required to establish an SMTP transaction. This is only useful to let a listener accept incoming mail from untrusted senders and outgoing mail from authenticated users in situations where it is not possible to listen on the submission port. Both *auth* and *auth-optional* accept an optional table as a parameter. When provided, credentials are looked up in this table. Credentials format is described in table(5). --- how about this ? pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt" pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key" listen on lo0 listen on em0 port 25 tls pki mail.aoiyuma.mydns.jp auth-optional listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth-optional listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth-optional table aliases db:/etc/mail/aliases.db accept from any for domain "aoiyuma.mydns.jp" alias deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for localalias deliver to maildir accept for local deliver to maildir mynetwork1 = "6.2.6.2/32" mynetwork2 = "114.22.25.247/32" accept from source $mynetwork1 for any relay accept from source $mynetwork2 for any relay accept from local for any relay
Re: SSL/TLS
On Tue, Jul 28, 2015 at 09:05:24PM +0900, tuyosi wrote: > > > On 2015e9407f28f% 20:50, Denis Fondras wrote: > >>are there open relay when ' accept from local for any relay' is replaced . > >> > >Nope ! > >"from local" means that only the machine running OpenSMTPd or any > >*authenticated* client can relay. > > > >Moreover, if no rule is matching then OpenSMTPd rejects the mail (default > >setting = secure setting) > > > kind advice . > > surely i can send mail from x...@aoiyuma.mydns.jp to y...@gmail.com > . > > > strangely i cannot send mail from Y@gmailto > x...@aoiyuma.mydns.jp . > - > > Delivery to the following recipient failed permanently: > > tuy...@aoiyuma.mydns.jp > > Technical details of permanent failure: > Google tried to deliver your message, but it was rejected by the server for > the recipient domain aoiyuma.mydns.jp by mail.aoiyuma.mydns.jp. > [157.7.208.141]. > > The error that the other server returned was: > 530 5.5.1 Invalid command: Must issue an AUTH command first You have: listen on em0 port 25 tls pki mail.aoiyuma.mydns.jp auth From smtpd.conf(5): If the auth parameter is used, then a client may only start an SMTP transaction after a successful authentication. Any remote sender that passed SMTPAUTH is treated as if it was the server's local user that was sending the mail. This means that filter rules using from local will be matched. If auth-optional is specified, then SMTPAUTH is not required to establish an SMTP transaction. This is only useful to let a listener accept incoming mail from untrusted senders and outgoing mail from authenticated users in situations where it is not possible to listen on the submission port. And I think you want smtps on port 465 not tls! -- Herbert -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
On 2015e9407f28f% 20:50, Denis Fondras wrote: are there open relay when ' accept from local for any relay' is replaced . Nope ! "from local" means that only the machine running OpenSMTPd or any *authenticated* client can relay. Moreover, if no rule is matching then OpenSMTPd rejects the mail (default setting = secure setting) kind advice . surely i can send mail from x...@aoiyuma.mydns.jp to y...@gmail.com . strangely i cannot send mail from Y@gmailto x...@aoiyuma.mydns.jp . - Delivery to the following recipient failed permanently: tuy...@aoiyuma.mydns.jp Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the server for the recipient domain aoiyuma.mydns.jp by mail.aoiyuma.mydns.jp. [157.7.208.141]. The error that the other server returned was: 530 5.5.1 Invalid command: Must issue an AUTH command first -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
> are there open relay when ' accept from local for any relay' is replaced . > Nope ! "from local" means that only the machine running OpenSMTPd or any *authenticated* client can relay. Moreover, if no rule is matching then OpenSMTPd rejects the mail (default setting = secure setting) -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
On 2015e9407f28f% 19:18, Mariano Baragiola wrote: In my experience, Thunderbird auto-configuration is not good. Configure it manually, choosing STARTTLS as the encryption method. thanks lot . i rewrite smtpd.conf pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt" pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key" listen on lo0 listen on em0 port 25 tls pki mail.aoiyuma.mydns.jp auth listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth table aliases db:/etc/mail/aliases.db accept from any for domain "aoiyuma.mydns.jp" alias deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for localalias deliver to maildir accept for local deliver to maildir mynetwork1 = "61.214.236.211/32" mynetwork2 = "114.22.25.247/32" accept from source $mynetwork1 for any relay accept from source $mynetwork2 for any relay #reject from any for any accept from local for any relay <- this line accept from local for any relay --- then i send mail y...@gmail.com . my failure was 'reject from any for any' . are there open relay when ' accept from local for any relay' is replaced . -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
i follow you . On 2015e9407f28f% 19:18, Mariano Baragiola wrote: In my experience, Thunderbird auto-configuration is not good. Configure it manually, choosing STARTTLS as the encryption method. surely i can send mail from x...@aoiyuma.mydns.jp to x...@aoiyuma.mydns.jp but cannod send mail from x...@aoiyuma.mydns.jp to y...@gmail.com (previously can send ) tail /var/log/maillog Jul 29 04:36:36 aoiyuma smtpd[13370]: smtp-in: Closing session 0d8c97396558bc0b Jul 29 04:36:49 aoiyuma smtpd[13370]: smtp-in: New session 0d8c973acd272d09 from host e0109-114-22-25-247.uqwimax.jp [114.22.25.247] Jul 29 04:36:49 aoiyuma smtpd[13370]: smtp-in: Started TLS on session 0d8c973acd272d09: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 Jul 29 04:36:50 aoiyuma smtpd[13370]: smtp-in: Accepted authentication for user tuyosi on session 0d8c973acd272d09 Jul 29 04:36:50 aoiyuma smtpd[13370]: smtp-in: Failed command on session 0d8c973acd272d09: "RCPT TO:" => 550 Invalid recipient ^ Jul 29 04:36:52 aoiyuma smtpd[13370]: smtp-in: Closing session 0d8c973acd272d09 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
In my experience, Thunderbird auto-configuration is not good. Configure it manually, choosing STARTTLS as the encryption method. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
thanks for advices . i rewite smtpd.conf pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt" pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key" listen on lo0 listen on em0 port 25 tls pki mail.aoiyuma.mydns.jp auth listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth table aliases db:/etc/mail/aliases.db accept from any for domain "aoiyuma.mydns.jp" alias deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for localalias deliver to maildir accept for local deliver to maildir mynetwork1 = "6.2.6.2/32" mynetwork2 = "114.22.25.247/32" accept from source $mynetwork1 for any relay accept from source $mynetwork2 for any relay reject from any for any thunderbird automativally detects mail server . about smtp --- authentification nethod : passeword , transmitted insecurely conectio security:none perhaps TLS does not run . so -- accept for local alias deliver to mda "/usr/local/bin/maildrop -f -" accept from any for domain aoiyuma.mydns.jp \ deliver to mda "/usr/local/bin/maildrop -f -" or like is needed ? - regards -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
Are you really sure you want to open-relay your server to .JP ? If not, remove this line : > accept from source for any relay -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
On Mon, 27 Jul 2015 19:40:39 -0700, SSL wrote: i am afraid of being attacked . so i want to limit PCs in japan only (if japanese PC is hacked , this setting in not safe ) . It would probably be more appropriate and effective to use a firewall such as OpenBSD's pf to accomplish this goal. OpenBSD also provides spamd which, along with a few selected real time black lists added to the mix, makes a very effective spam filter. but i want to use conection secrity SSL/TLS . how to do it ? The smptd.conf(5) man page documents key generation in the EXAMPLES section near the end. In this second example, the aim is to permit mail relaying for any user that can authenticate using their normal login credentials. An RSA certificate must be provided to prove the server's identity. The mail server listens on all interfaces the default route(s) point to. Mail with a local destination should be sent to an external mda. First, the RSA certificate is created: # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096 # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \ -out /etc/ssl/mail.example.com.crt -days 365 # chmod 600 /etc/ssl/mail.example.com.crt # chmod 600 /etc/ssl/private/mail.example.com.key -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
SSL/TLS
hi all . i am afraid of being attacked . so i want to limit PCs in japan only (if japanese PC is hacked , this setting in not safe ) . i look at https://ipv4.fetus.jp/ and download as jp.txt tr '\n' ' ' jp3 cat jp3 1.0.16.0/20 1.0.64.0/18 1.1.64.0/18 1.5.0.0/16 1.21.0.0/16 1.33.0.0/16 1.66.0.0/15 1.72.0.0/13 1.112.0.0/14 14.0.8.0/22 14.1.4.0/22 14.1.8.0/21 14.3.0.0/16 14.8.0.0/13 14.101.0.0/16 14.102.132.0/22 14.102.192.0/19 etc makemap jp3 smtpd.conf listen on lo0 listen on em0 port 25 listen on em0 port 465 listen on em0 port 587 table aliases db:/etc/mail/aliases.db table jp3 db:/etc/mail/jp3.db accept from any for domain "aoiyuma.mydns.jp" alias deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for localalias deliver to maildir accept for local deliver to maildir accept from source for any relay reject from any for any in this setting i can mail to X.gmail.com . but i want to use conection secrity SSL/TLS . how to do it ? - regards -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
On Mon, 9 Jun 2014 10:16:43 +0200, you wrote: >On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote: >> Hi >> >> >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been >> >>the case for many years >> > >> >To parrot this on all of my various instances OpenSMTPD and not I get tons >> >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck >> >every now and again I see SSLv2 attempts which for most of my instances get >> >killed. I haven't seen one on my OpenSMTPD instance yet but its only time. >> >But seriously for email any transport encryption is better than none and >> >OpenSMTPD's default should be the best way to handle opportunistic TLS >> >where you always try to use the highest protocol version supported with the >> >best ciphers supported, and there shouldnt need to be a knob for it. >> >> Whilst I agree with what you are saying for general purpose mail >> servers, I can see applications where enforced encryption levels are >> worth having. I can see that some company gateways, where they know >> all of the other endpoints, might wish to enforce appropriate >> encryption as everybody who should be talking to that MTA should be >> capable of it and anything else is therefore spam or hacking. This is >> particularly plausible on any link where TLS or SSL is already >> mandatory. >> > >please define "enforced encryption levels" ? Tricky - I don't have a specific use case in mind, but I worked on building a military email system (X.400 based - it was that long ago, though they may still use it for all I know) and they were pretty keen on nailing down exactly what was expected on each link. >pretty much anyone tweaking ssl_ciphers will actually downgrade security >or/and break interop with other servers. some people may know how to tie >things further for their specific use-cases but the minute we add a knob >other people will start using it and shoot themselves in the foot. Sadly that is the case with pretty much all security, but the lack of an ability to check/filter based on what security level has been negotiated means that those people who _do_ know what they are doing can't. I'm still annoyed by the general (not smtpd particularly) impossibility of having usefully functioning CRLs, which are pretty much a requirement of any PK system but have been generally ignored to date. >At the time being we're looking to is to have the bul0k of users safe by >default and we're looking for more: > > https://twitter.com/Mayeu/status/474109854651785216 > >"the magic of OpenSMTPD, you do no TLS configuration and you're graded A > by default <3 (test here: starttls.info)" I do not disagree >Im not saying that this will hold true forever but at this point in time >I would prefer that we dont have ssl_ciphers and that any improvement we >do is made to the default until we exhausted all possibilities to do so. Fair enough - I just felt it was worth adding another point of view to the discussion. Thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
yes, but DONT DO THAT unless you know what you're doing. you have been warned: smtpd is safe by default and provide a SSL_CIPHERS that has been tested and verified to be safe. changes that seem fine can effectively break the security and interoperability. unless you know how openssl/libressl manages cipher lists, and what ciphers are supported by other peers, you just can't do it right. also, keep in mind that we don't provide support for users who alter the code we provide. if you changed SSL_CIPHERS and you hit a MTA bug, we'll assume the change is responsible for the bug unless we can hit it with a version of smtpd that's not altered. On Mon, Jun 09, 2014 at 04:33:13AM -0400, Adam Suhl wrote: > I think at build time you can fine-tune which ciphers you want by editing > ssl.h -- in particular the SSL_CIPHERS define. > --Adam > > On Mon, 9 Jun 2014, Gilles Chehade wrote: > > > On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote: > > > Hi > > > > > > >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been > > > >>the case for many years > > > > > > > >To parrot this on all of my various instances OpenSMTPD and not I get > > > >tons > > > >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck > > > >every now and again I see SSLv2 attempts which for most of my instances > > > >get > > > >killed. I haven't seen one on my OpenSMTPD instance yet but its only > > > >time. > > > >But seriously for email any transport encryption is better than none and > > > >OpenSMTPD's default should be the best way to handle opportunistic TLS > > > >where you always try to use the highest protocol version supported with > > > >the > > > >best ciphers supported, and there shouldnt need to be a knob for it. > > > > > > Whilst I agree with what you are saying for general purpose mail > > > servers, I can see applications where enforced encryption levels are > > > worth having. I can see that some company gateways, where they know > > > all of the other endpoints, might wish to enforce appropriate > > > encryption as everybody who should be talking to that MTA should be > > > capable of it and anything else is therefore spam or hacking. This is > > > particularly plausible on any link where TLS or SSL is already > > > mandatory. > > > > > > > please define "enforced encryption levels" ? > > > > pretty much anyone tweaking ssl_ciphers will actually downgrade security > > or/and break interop with other servers. some people may know how to tie > > things further for their specific use-cases but the minute we add a knob > > other people will start using it and shoot themselves in the foot. > > > > At the time being we're looking to is to have the bul0k of users safe by > > default and we're looking for more: > > > >https://twitter.com/Mayeu/status/474109854651785216 > > > > "the magic of OpenSMTPD, you do no TLS configuration and you're graded A > > by default <3 (test here: starttls.info)" > > > > Im not saying that this will hold true forever but at this point in time > > I would prefer that we dont have ssl_ciphers and that any improvement we > > do is made to the default until we exhausted all possibilities to do so. > > > > > > -- > > Gilles Chehade > > > > https://www.poolp.org @poolpOrg > > > > -- > > You received this mail because you are subscribed to misc@opensmtpd.org > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
I think at build time you can fine-tune which ciphers you want by editing ssl.h -- in particular the SSL_CIPHERS define. --Adam On Mon, 9 Jun 2014, Gilles Chehade wrote: > On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote: > > Hi > > > > >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been > > >>the case for many years > > > > > >To parrot this on all of my various instances OpenSMTPD and not I get tons > > >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck > > >every now and again I see SSLv2 attempts which for most of my instances get > > >killed. I haven't seen one on my OpenSMTPD instance yet but its only time. > > >But seriously for email any transport encryption is better than none and > > >OpenSMTPD's default should be the best way to handle opportunistic TLS > > >where you always try to use the highest protocol version supported with the > > >best ciphers supported, and there shouldnt need to be a knob for it. > > > > Whilst I agree with what you are saying for general purpose mail > > servers, I can see applications where enforced encryption levels are > > worth having. I can see that some company gateways, where they know > > all of the other endpoints, might wish to enforce appropriate > > encryption as everybody who should be talking to that MTA should be > > capable of it and anything else is therefore spam or hacking. This is > > particularly plausible on any link where TLS or SSL is already > > mandatory. > > > > please define "enforced encryption levels" ? > > pretty much anyone tweaking ssl_ciphers will actually downgrade security > or/and break interop with other servers. some people may know how to tie > things further for their specific use-cases but the minute we add a knob > other people will start using it and shoot themselves in the foot. > > At the time being we're looking to is to have the bul0k of users safe by > default and we're looking for more: > >https://twitter.com/Mayeu/status/474109854651785216 > > "the magic of OpenSMTPD, you do no TLS configuration and you're graded A > by default <3 (test here: starttls.info)" > > Im not saying that this will hold true forever but at this point in time > I would prefer that we dont have ssl_ciphers and that any improvement we > do is made to the default until we exhausted all possibilities to do so. > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote: > Hi > > >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been > >>the case for many years > > > >To parrot this on all of my various instances OpenSMTPD and not I get tons > >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck > >every now and again I see SSLv2 attempts which for most of my instances get > >killed. I haven't seen one on my OpenSMTPD instance yet but its only time. > >But seriously for email any transport encryption is better than none and > >OpenSMTPD's default should be the best way to handle opportunistic TLS > >where you always try to use the highest protocol version supported with the > >best ciphers supported, and there shouldnt need to be a knob for it. > > Whilst I agree with what you are saying for general purpose mail > servers, I can see applications where enforced encryption levels are > worth having. I can see that some company gateways, where they know > all of the other endpoints, might wish to enforce appropriate > encryption as everybody who should be talking to that MTA should be > capable of it and anything else is therefore spam or hacking. This is > particularly plausible on any link where TLS or SSL is already > mandatory. > please define "enforced encryption levels" ? pretty much anyone tweaking ssl_ciphers will actually downgrade security or/and break interop with other servers. some people may know how to tie things further for their specific use-cases but the minute we add a knob other people will start using it and shoot themselves in the foot. At the time being we're looking to is to have the bul0k of users safe by default and we're looking for more: https://twitter.com/Mayeu/status/474109854651785216 "the magic of OpenSMTPD, you do no TLS configuration and you're graded A by default <3 (test here: starttls.info)" Im not saying that this will hold true forever but at this point in time I would prefer that we dont have ssl_ciphers and that any improvement we do is made to the default until we exhausted all possibilities to do so. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
Hi >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been >>the case for many years > >To parrot this on all of my various instances OpenSMTPD and not I get tons >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck >every now and again I see SSLv2 attempts which for most of my instances get >killed. I haven't seen one on my OpenSMTPD instance yet but its only time. >But seriously for email any transport encryption is better than none and >OpenSMTPD's default should be the best way to handle opportunistic TLS >where you always try to use the highest protocol version supported with the >best ciphers supported, and there shouldnt need to be a knob for it. Whilst I agree with what you are saying for general purpose mail servers, I can see applications where enforced encryption levels are worth having. I can see that some company gateways, where they know all of the other endpoints, might wish to enforce appropriate encryption as everybody who should be talking to that MTA should be capable of it and anything else is therefore spam or hacking. This is particularly plausible on any link where TLS or SSL is already mandatory. Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
Gilles Chehade wrote, On 06/08/14 05:40: On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote: Is there a way to configure smtpd to only use specified ciphers or limit it to TLSv1.[12]? I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's `ssl_ciphers` or `ssl_protocols` configuration directives. no, we don't want to make this tunable. the rationale is that we want to propose the best encryption by default. if there is a better choice, it should be proposed and discussed openly as it should become the new default. yes, it's tempting to provide ssl_ciphers but unless there's a very good reason to do it, we won't introduce this new knob. I must agree, I'm in favor of no knob as well. The reason I ask is because I'm very close to failing my PCI compliance because of smptd. They score each compliance test from 0 to 9. If any single score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently receiving a risk score of 3.9. I have a feeling that in the not too distant future this particular test will fail. My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to information disclosure" because of the initialization vector implementations in SSLv3 and TLSv1.0. Thier stated resolution is: "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers." This can certainly be improved without adding ssl_ciphers knob How? Is there a workaround? I'm not a mail expert, but my feeling is that secured email hasn't been widespread until recent years. If any MTAs support encryption, they are probably using the latest protocols and ciphers. That's not correct no, I get plenty of TLS 1.0 trafic and it has been the case for many years I stand corrected. Thanks Gilles. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
>That's not correct no, I get plenty of TLS 1.0 trafic and it has been >the case for many years To parrot this on all of my various instances OpenSMTPD and not I get tons of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck every now and again I see SSLv2 attempts which for most of my instances get killed. I haven't seen one on my OpenSMTPD instance yet but its only time. But seriously for email any transport encryption is better than none and OpenSMTPD's default should be the best way to handle opportunistic TLS where you always try to use the highest protocol version supported with the best ciphers supported, and there shouldnt need to be a knob for it. -- Jason Barbier | jab...@serversave.us Pro Patria Vigilans
Re: How to configure encryption ciphers and SSL/TLS protocols
On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote: > Is there a way to configure smtpd to only use specified ciphers or limit it > to TLSv1.[12]? > > I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's > `ssl_ciphers` or `ssl_protocols` configuration directives. > no, we don't want to make this tunable. the rationale is that we want to propose the best encryption by default. if there is a better choice, it should be proposed and discussed openly as it should become the new default. yes, it's tempting to provide ssl_ciphers but unless there's a very good reason to do it, we won't introduce this new knob. > The reason I ask is because I'm very close to failing my PCI compliance > because of smptd. They score each compliance test from 0 to 9. If any single > score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently > receiving a risk score of 3.9. I have a feeling that in the not too distant > future this particular test will fail. > > My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to > information disclosure" because of the initialization vector implementations > in SSLv3 and TLSv1.0. > > Thier stated resolution is: > > "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. > Configure SSL/TLS servers to only support cipher suites that do not use > block ciphers." > This can certainly be improved without adding ssl_ciphers knob > I'm not a mail expert, but my feeling is that secured email hasn't been > widespread until recent years. If any MTAs support encryption, they are > probably using the latest protocols and ciphers. > That's not correct no, I get plenty of TLS 1.0 trafic and it has been the case for many years -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
How to configure encryption ciphers and SSL/TLS protocols
Is there a way to configure smtpd to only use specified ciphers or limit it to TLSv1.[12]? I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's `ssl_ciphers` or `ssl_protocols` configuration directives. The reason I ask is because I'm very close to failing my PCI compliance because of smptd. They score each compliance test from 0 to 9. If any single score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently receiving a risk score of 3.9. I have a feeling that in the not too distant future this particular test will fail. My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to information disclosure" because of the initialization vector implementations in SSLv3 and TLSv1.0. Thier stated resolution is: "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers." I'm not a mail expert, but my feeling is that secured email hasn't been widespread until recent years. If any MTAs support encryption, they are probably using the latest protocols and ciphers. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org