LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Postfix, disabling SSLv2: not trivial (http://www.linuxquestions.org/questions/linux-software-2/postfix-disabling-sslv2-not-trivial-825729/)

ahingert 08-12-2010 02:59 AM

Postfix, disabling SSLv2: not trivial
 
Hi,
I am a new poster, although I've been a lurker for a long time and hope the wealth of experience on LinuxQuestions can help me solve an issue I've been pulling my hair out for the last week.

I am undergoing PCI compliancy scans and have been able to solve all the issues indicated with the exception of one: SSL Server Supports Weak Encryption Vulnerabilityport over port 25. Now before I go over the list of solutions I've tried let me post my Postfix main.cf and master.cf:

Code:

main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks = $config_directory/mynetworks
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
        ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
inet_protocols = all

virtual_mailbox_domains        = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_base            = /var/vmail
virtual_mailbox_maps            = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_alias_maps              = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_mailbox_limit_maps      = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_minimum_uid            = 101
virtual_uid_maps                = static:101
virtual_gid_maps                = static:12
dovecot_destination_recipient_limit = 1
local_transport                                        = virtual

smtpd_sasl_auth_enable          = yes
smtpd_sasl_local_domain        = $myhostname
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options    = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_type                = dovecot
smtpd_tls_auth_only                                = yes
smtpd_sasl_path                = private/auth

smtp_tls_CAfile                  = /etc/pki/tls/certs/example_com.ca-bundle
smtp_tls_cert_file                = /etc/pki/tls/certs/example_com.crt
smtp_tls_key_file                = /etc/pki/tls/private/myserver.key
smtp_tls_session_cache_database  = btree:$data_directory/smtp_tls_session_cache
smtp_tls_security_level          = may
smtpd_tls_CAfile                  = /etc/pki/tls/certs/example_com.ca-bundle
smtpd_tls_cert_file              = /etc/pki/tls/certs/example_com.crt
smtpd_tls_key_file                = /etc/pki/tls/private/myserver.key

smtpd_tls_security_level          = may
smtpd_tls_received_header        = yes
smtpd_tls_ask_ccert              = yes
smtpd_tls_loglevel                = 1
tls_random_source                = dev:/dev/urandom

smtpd_helo_required            = yes
disable_vrfy_command            = yes
non_fqdn_reject_code            = 450
invalid_hostname_reject_code    = 450
maps_rbl_reject_code            = 450


smtpd_recipient_restrictions =        permit_mynetworks
                                                                permit_sasl_authenticated
                                                                reject_unauth_destination

Code:

master.cf
smtp      inet  n      -      n      -      -      smtpd
pickup    fifo  n      -      n      60      1      pickup
cleanup  unix  n      -      n      -      0      cleanup
qmgr      fifo  n      -      n      300    1      qmgr
tlsmgr    unix  -      -      n      1000?  1      tlsmgr
rewrite  unix  -      -      n      -      -      trivial-rewrite
bounce    unix  -      -      n      -      0      bounce
defer    unix  -      -      n      -      0      bounce
trace    unix  -      -      n      -      0      bounce
verify    unix  -      -      n      -      1      verify
flush    unix  n      -      n      1000?  0      flush
proxymap  unix  -      -      n      -      -      proxymap
proxywrite unix -      -      n      -      1      proxymap
smtp      unix  -      -      n      -      -      smtp
relay    unix  -      -      n      -      -      smtp
        -o smtp_fallback_relay=
showq    unix  n      -      n      -      -      showq
error    unix  -      -      n      -      -      error
retry    unix  -      -      n      -      -      error
discard  unix  -      -      n      -      -      discard
local    unix  -      n      n      -      -      local
virtual  unix  -      n      n      -      -      virtual
lmtp      unix  -      -      n      -      -      lmtp
anvil    unix  -      -      n      -      1      anvil
scache    unix  -      -      n      -      1      scache

(As a side note I need to inform you I am running Fedora 12 and that this version of Postfix (2.6.5) is complied with MySql so it can use PostfixAdmin.)

Anyway, as I said I have tried a number of things so here we go:

I've disabled weak ciphers in the httpd.conf, but this works only on port 443:
Code:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

I've tried diabling weak ciphers in the main.cf file of Postfix, but to no effect:
Code:

smtpd_tls_mandatory_protocols = SSLv3 TLSv1 !SSLv2
smtpd_tls_mandatory_ciphers = medium

I have also tried a number of weird combinations with Postix configuration options, but all to now avail.

Adding the following configuration options to the master.cf file and this indeed allows me to disable SSLv2, but it unfortunately has the side effect of stopping my server from receiving any email:
Code:

-o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

Does anybody have any ideas? I am pulling my hair out!


Thanks,
Adrien

fredless 08-31-2010 02:50 PM

Same question...
 
Any luck with this?


All times are GMT -5. The time now is 05:32 AM.