LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 08-12-2010, 03:59 AM   #1
ahingert
LQ Newbie
 
Registered: Aug 2010
Posts: 22

Rep: Reputation: 0
Postfix, disabling SSLv2: not trivial


Hi,
I am a new poster, although I've been a lurker for a long time and hope the wealth of experience on LinuxQuestions can help me solve an issue I've been pulling my hair out for the last week.

I am undergoing PCI compliancy scans and have been able to solve all the issues indicated with the exception of one: SSL Server Supports Weak Encryption Vulnerabilityport over port 25. Now before I go over the list of solutions I've tried let me post my Postfix main.cf and master.cf:

Code:
main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks = $config_directory/mynetworks
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
inet_protocols = all

virtual_mailbox_domains         = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_base            = /var/vmail
virtual_mailbox_maps            = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_alias_maps              = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_mailbox_limit_maps      = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_minimum_uid             = 101
virtual_uid_maps                = static:101
virtual_gid_maps                = static:12
dovecot_destination_recipient_limit = 1
local_transport					= virtual

smtpd_sasl_auth_enable          = yes
smtpd_sasl_local_domain         = $myhostname
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options     = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_type                 = dovecot
smtpd_tls_auth_only				= yes
smtpd_sasl_path                 = private/auth

smtp_tls_CAfile                   = /etc/pki/tls/certs/example_com.ca-bundle
smtp_tls_cert_file                = /etc/pki/tls/certs/example_com.crt
smtp_tls_key_file                 = /etc/pki/tls/private/myserver.key
smtp_tls_session_cache_database   = btree:$data_directory/smtp_tls_session_cache
smtp_tls_security_level           = may
smtpd_tls_CAfile                  = /etc/pki/tls/certs/example_com.ca-bundle
smtpd_tls_cert_file               = /etc/pki/tls/certs/example_com.crt
smtpd_tls_key_file                = /etc/pki/tls/private/myserver.key

smtpd_tls_security_level          = may
smtpd_tls_received_header         = yes
smtpd_tls_ask_ccert               = yes
smtpd_tls_loglevel                = 1
tls_random_source                 = dev:/dev/urandom

smtpd_helo_required             = yes
disable_vrfy_command            = yes
non_fqdn_reject_code            = 450
invalid_hostname_reject_code    = 450
maps_rbl_reject_code            = 450


smtpd_recipient_restrictions = 	permit_mynetworks
								permit_sasl_authenticated
								reject_unauth_destination
Code:
master.cf
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
	-o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
(As a side note I need to inform you I am running Fedora 12 and that this version of Postfix (2.6.5) is complied with MySql so it can use PostfixAdmin.)

Anyway, as I said I have tried a number of things so here we go:

I've disabled weak ciphers in the httpd.conf, but this works only on port 443:
Code:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
I've tried diabling weak ciphers in the main.cf file of Postfix, but to no effect:
Code:
smtpd_tls_mandatory_protocols = SSLv3 TLSv1 !SSLv2
smtpd_tls_mandatory_ciphers = medium
I have also tried a number of weird combinations with Postix configuration options, but all to now avail.

Adding the following configuration options to the master.cf file and this indeed allows me to disable SSLv2, but it unfortunately has the side effect of stopping my server from receiving any email:
Code:
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
Does anybody have any ideas? I am pulling my hair out!


Thanks,
Adrien

Last edited by ahingert; 12-19-2010 at 01:14 PM. Reason: Renamed my domain to example
 
Old 08-31-2010, 03:50 PM   #2
fredless
LQ Newbie
 
Registered: Aug 2010
Posts: 1

Rep: Reputation: 0
Question Same question...

Any luck with this?
 
  


Reply

Tags
pci, postfix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to upgrade IMAP SSLv2 to v3 i_nomad Linux - Server 3 07-04-2008 08:34 AM
Postfix trivial-rewrite Problem csdhiman Linux - Server 0 02-20-2008 06:05 AM
is it a trivial prblem? thtr2k Linux - General 4 01-29-2007 09:32 AM
Disabling sender spoofing localy in postfix barghota Linux - Server 1 10-18-2006 09:36 AM
Some trivial questions... wpyh Linux - General 2 06-21-2004 10:56 AM


All times are GMT -5. The time now is 10:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration