dovecot - Apr 2017 - confused with ssl settings and some error - need help

Hi,
To default dovecot.conf file I added (based on found documentation):
ssl = required
disable_plaintext_auth = yes     #change default 'no' to 'yes'
ssl_prefer_server_ciphers = yes
ssl_options = no_compression
ssl_dh_parameters_length = 2048
ssl_cipher_list
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

1. Are these settings good or can be improved?
2. Is this line proper:
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
or maybe should be:
ssl_protocols = !SSLv2 !SSLv3
3. Last thing. I have below errors (they appear in loop in mail.err log
file):
#Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
#Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
#Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac
#Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

When I setup in postfix main.cf file (other lines default):
tls_ssl_options = no_ticket, no_compression
tls_preempt_cipherlist = yes
smtpd_sasl_security_options=noanonymous,noplaintext
smtpd_sasl_tls_security_options=noanonymous,noplaintext
smtpd_tls_mandatory_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
#instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
know what should be setup
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

Is between dovecot and postfix some communication using above ciphers or
something that generate that errors in log or maybe some public client try
connect and can't establish connection?

Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl
1.0.2k.
-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*

> On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at poliman.pl>
wrote:
> 
> 
> Hi,
> To default dovecot.conf file I added (based on found documentation):
> ssl = required
> disable_plaintext_auth = yes     #change default 'no' to
'yes'
> ssl_prefer_server_ciphers = yes
> ssl_options = no_compression
> ssl_dh_parameters_length = 2048
> ssl_cipher_list >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> 
This looks rather cumbersome way to define ciphers.
> 1. Are these settings good or can be improved?
> 2. Is this line proper:
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Well if you only want to support TLSv1.2, which might lead into trouble.
> or maybe should be:
> ssl_protocols = !SSLv2 !SSLv3
> 3. Last thing. I have below errors (they appear in loop in mail.err log
> file):
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
This means your client did not support your enabled ciphers.
> 
> When I setup in postfix main.cf file (other lines default):
> tls_ssl_options = no_ticket, no_compression
> tls_preempt_cipherlist = yes
> smtpd_sasl_security_options=noanonymous,noplaintext
> smtpd_sasl_tls_security_options=noanonymous,noplaintext
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> 
> Is between dovecot and postfix some communication using above ciphers or
> something that generate that errors in log or maybe some public client try
> connect and can't establish connection?
> 
If you are using LMTP, then some of those settings will cause changes in how
LMTP works as well.

> Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl
> 1.0.2k.
> -- 
> 
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
> 
> 
> 
> 
> *tel. 534 555 877*
> 
> *serwis at poliman.pl <serwis at poliman.pl>*
Aki

Thank You for answers. But:
1. How should be properly configured ssl_cipher_list?
2. Ok, removed !TLSv1 !TLSv1.1.
3. Strange thing with ssl_protocols and ssl_cipher_list, because on older
server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two
lines looks exactly this same and no errors in mail.err file and mailes
works without any problem.
4. No, currently I don't use LMTP.

2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
> > On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at
poliman.pl> wrote:
> >
> >
> > Hi,
> > To default dovecot.conf file I added (based on found documentation):
> > ssl = required
> > disable_plaintext_auth = yes     #change default 'no' to
'yes'
> > ssl_prefer_server_ciphers = yes
> > ssl_options = no_compression
> > ssl_dh_parameters_length = 2048
> > ssl_cipher_list > >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> CBC3-SHA:!KRB5-DES-CBC3-SHA
> >
>
> This looks rather cumbersome way to define ciphers.
>
> > 1. Are these settings good or can be improved?
> > 2. Is this line proper:
> > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>
> Well if you only want to support TLSv1.2, which might lead into trouble.
>
> > or maybe should be:
> > ssl_protocols = !SSLv2 !SSLv3
> > 3. Last thing. I have below errors (they appear in loop in mail.err
log
> > file):
> > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac
> > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>
> This means your client did not support your enabled ciphers.
>
> >
> > When I setup in postfix main.cf file (other lines default):
> > tls_ssl_options = no_ticket, no_compression
> > tls_preempt_cipherlist = yes
> > smtpd_sasl_security_options=noanonymous,noplaintext
> > smtpd_sasl_tls_security_options=noanonymous,noplaintext
> > smtpd_tls_mandatory_ciphers = high
> > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
> don't
> > know what should be setup
> > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
> ECDHE-RSA-DES-CBC3-SHA,
> > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH,
> > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> >
> > Is between dovecot and postfix some communication using above ciphers
or
> > something that generate that errors in log or maybe some public client
> try
> > connect and can't establish connection?
> >
>
> If you are using LMTP, then some of those settings will cause changes in
> how LMTP works as well.
>
>
> > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and
openssl
> > 1.0.2k.
> > --
> >
> > *Pozdrawiam / Best Regards*
> > *Piotr Bracha*
> >
> >
> >
> >
> > *tel. 534 555 877*
> >
> > *serwis at poliman.pl <serwis at poliman.pl>*
>
> Aki
>


-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*