thr3ads.net - dovecot - confused with ssl settings and some error

If this information is useful, please help other people find it:
Share via:

Poliman - Serwis

2017-Apr-27 07:55 UTC

confused with ssl settings and some error - need help

Thank You for answers. But:
1. How should be properly configured ssl_cipher_list?
2. Ok, removed !TLSv1 !TLSv1.1.
3. Strange thing with ssl_protocols and ssl_cipher_list, because on older
server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two
lines looks exactly this same and no errors in mail.err file and mailes
works without any problem.
4. No, currently I don't use LMTP.

2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
> > On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at
poliman.pl> wrote:
> >
> >
> > Hi,
> > To default dovecot.conf file I added (based on found documentation):
> > ssl = required
> > disable_plaintext_auth = yes     #change default 'no' to
'yes'
> > ssl_prefer_server_ciphers = yes
> > ssl_options = no_compression
> > ssl_dh_parameters_length = 2048
> > ssl_cipher_list > >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> CBC3-SHA:!KRB5-DES-CBC3-SHA
> >
>
> This looks rather cumbersome way to define ciphers.
>
> > 1. Are these settings good or can be improved?
> > 2. Is this line proper:
> > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>
> Well if you only want to support TLSv1.2, which might lead into trouble.
>
> > or maybe should be:
> > ssl_protocols = !SSLv2 !SSLv3
> > 3. Last thing. I have below errors (they appear in loop in mail.err
log
> > file):
> > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record
> > mac
> > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked
error:
> > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>
> This means your client did not support your enabled ciphers.
>
> >
> > When I setup in postfix main.cf file (other lines default):
> > tls_ssl_options = no_ticket, no_compression
> > tls_preempt_cipherlist = yes
> > smtpd_sasl_security_options=noanonymous,noplaintext
> > smtpd_sasl_tls_security_options=noanonymous,noplaintext
> > smtpd_tls_mandatory_ciphers = high
> > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
> don't
> > know what should be setup
> > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
> ECDHE-RSA-DES-CBC3-SHA,
> > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH,
> > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> >
> > Is between dovecot and postfix some communication using above ciphers
or
> > something that generate that errors in log or maybe some public client
> try
> > connect and can't establish connection?
> >
>
> If you are using LMTP, then some of those settings will cause changes in
> how LMTP works as well.
>
>
> > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and
openssl
> > 1.0.2k.
> > --
> >
> > *Pozdrawiam / Best Regards*
> > *Piotr Bracha*
> >
> >
> >
> >
> > *tel. 534 555 877*
> >
> > *serwis at poliman.pl <serwis at poliman.pl>*
>
> Aki
>


-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*

Aki Tuomi

2017-Apr-27 08:00 UTC

head link

confused with ssl settings and some error - need help

> On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl>
wrote:
> 
> 
> Thank You for answers. But:
> 1. How should be properly configured ssl_cipher_list?
ssl_cipher_list =
ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW
at STRENGTH

To disable non-EC DH, use:

ssl_cipher_list =
ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW
at STRENGTH
> 2. Ok, removed !TLSv1 !TLSv1.1.
> 3. Strange thing with ssl_protocols and ssl_cipher_list, because on older
> server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two
> lines looks exactly this same and no errors in mail.err file and mailes
> works without any problem.
> 4. No, currently I don't use LMTP.
it is possible that postfix is not causing this error.
> 
> 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> 
> >
> > > On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at
poliman.pl> wrote:
> > >
> > >
> > > Hi,
> > > To default dovecot.conf file I added (based on found
documentation):
> > > ssl = required
> > > disable_plaintext_auth = yes     #change default 'no' to
'yes'
> > > ssl_prefer_server_ciphers = yes
> > > ssl_options = no_compression
> > > ssl_dh_parameters_length = 2048
> > > ssl_cipher_list > > >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> > CBC3-SHA:!KRB5-DES-CBC3-SHA
> > >
> >
> > This looks rather cumbersome way to define ciphers.
> >
> > > 1. Are these settings good or can be improved?
> > > 2. Is this line proper:
> > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> >
> > Well if you only want to support TLSv1.2, which might lead into
trouble.
> >
> > > or maybe should be:
> > > ssl_protocols = !SSLv2 !SSLv3
> > > 3. Last thing. I have below errors (they appear in loop in
mail.err log
> > > file):
> > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL:
Stacked error:
> > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
> > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL:
Stacked error:
> > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number
> > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL:
Stacked error:
> > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
bad
> > record
> > > mac
> > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL:
Stacked error:
> > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher
> >
> > This means your client did not support your enabled ciphers.
> >
> > >
> > > When I setup in postfix main.cf file (other lines default):
> > > tls_ssl_options = no_ticket, no_compression
> > > tls_preempt_cipherlist = yes
> > > smtpd_sasl_security_options=noanonymous,noplaintext
> > > smtpd_sasl_tls_security_options=noanonymous,noplaintext
> > > smtpd_tls_mandatory_ciphers = high
> > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but
I
> > don't
> > > know what should be setup
> > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5,
PSK,
> > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
> > ECDHE-RSA-DES-CBC3-SHA,
> > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5,
PSK,
> > aECDH,
> > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
ECDHE-RSA-DES-CBC3-SHA,
> > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> > >
> > > Is between dovecot and postfix some communication using above
ciphers or
> > > something that generate that errors in log or maybe some public
client
> > try
> > > connect and can't establish connection?
> > >
> >
> > If you are using LMTP, then some of those settings will cause changes
in
> > how LMTP works as well.
> >
> >
> > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and
openssl
> > > 1.0.2k.
> > > --
> > >
> > > *Pozdrawiam / Best Regards*
> > > *Piotr Bracha*
> > >
> > >
> > >
> > >
> > > *tel. 534 555 877*
> > >
> > > *serwis at poliman.pl <serwis at poliman.pl>*
> >
> > Aki
> >
> 
> 
> 
> -- 
> 
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
> 
> 
> 
> 
> *tel. 534 555 877*
> 
> *serwis at poliman.pl <serwis at poliman.pl>*

Poliman - Serwis

2017-Apr-27 08:34 UTC

head link

confused with ssl settings and some error - need help

Cipher list which You post provide better compatibility or security than
those which I currently have?
On older software version these cipher list works well and not generate any
errors when I run Internal PCI scan test from https://cloud.tenable.com for
another server. But for new server with newer software during test I got
errors in mail.err.

2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at
poliman.pl>
> wrote:
> >
> >
> > Thank You for answers. But:
> > 1. How should be properly configured ssl_cipher_list?
>
> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!
> 3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
>
> To disable non-EC DH, use:
>
> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:
> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
>
> > 2. Ok, removed !TLSv1 !TLSv1.1.
> > 3. Strange thing with ssl_protocols and ssl_cipher_list, because on
older
> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two
> > lines looks exactly this same and no errors in mail.err file and
mailes
> > works without any problem.
> > 4. No, currently I don't use LMTP.
>
> it is possible that postfix is not causing this error.
>
> >
> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
> >
> > >
> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at
poliman.pl>
> wrote:
> > > >
> > > >
> > > > Hi,
> > > > To default dovecot.conf file I added (based on found
documentation):
> > > > ssl = required
> > > > disable_plaintext_auth = yes     #change default
'no' to 'yes'
> > > > ssl_prefer_server_ciphers = yes
> > > > ssl_options = no_compression
> > > > ssl_dh_parameters_length = 2048
> > > > ssl_cipher_list > > > >
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> > > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> > > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> > > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> > > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
> > > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
> > > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
> > > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
> > > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
> > > CBC3-SHA:!KRB5-DES-CBC3-SHA
> > > >
> > >
> > > This looks rather cumbersome way to define ciphers.
> > >
> > > > 1. Are these settings good or can be improved?
> > > > 2. Is this line proper:
> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> > >
> > > Well if you only want to support TLSv1.2, which might lead into
> trouble.
> > >
> > > > or maybe should be:
> > > > ssl_protocols = !SSLv2 !SSLv3
> > > > 3. Last thing. I have below errors (they appear in loop in
mail.err
> log
> > > > file):
> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL:
Stacked
> error:
> > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL:
Stacked
> error:
> > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version
> number
> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL:
Stacked
> error:
> > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
failed or bad
> > > record
> > > > mac
> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL:
Stacked
> error:
> > > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher
> > >
> > > This means your client did not support your enabled ciphers.
> > >
> > > >
> > > > When I setup in postfix main.cf file (other lines default):
> > > > tls_ssl_options = no_ticket, no_compression
> > > > tls_preempt_cipherlist = yes
> > > > smtpd_sasl_security_options=noanonymous,noplaintext
> > > > smtpd_sasl_tls_security_options=noanonymous,noplaintext
> > > > smtpd_tls_mandatory_ciphers = high
> > > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> > > > #instead of below I tried
smtpd_tls_mandatory_exclude_ciphers but I
> > > don't
> > > > know what should be setup
> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK,
> > > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
> > > ECDHE-RSA-DES-CBC3-SHA,
> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK,
> > > aECDH,
> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
ECDHE-RSA-DES-CBC3-SHA,
> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> > > >
> > > > Is between dovecot and postfix some communication using
above
> ciphers or
> > > > something that generate that errors in log or maybe some
public
> client
> > > try
> > > > connect and can't establish connection?
> > > >
> > >
> > > If you are using LMTP, then some of those settings will cause
changes
> in
> > > how LMTP works as well.
> > >
> > >
> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22
and
> openssl
> > > > 1.0.2k.
> > > > --
> > > >
> > > > *Pozdrawiam / Best Regards*
> > > > *Piotr Bracha*
> > > >
> > > >
> > > >
> > > >
> > > > *tel. 534 555 877*
> > > >
> > > > *serwis at poliman.pl <serwis at poliman.pl>*
> > >
> > > Aki
> > >
> >
> >
> >
> > --
> >
> > *Pozdrawiam / Best Regards*
> > *Piotr Bracha*
> >
> >
> >
> >
> > *tel. 534 555 877*
> >
> > *serwis at poliman.pl <serwis at poliman.pl>*
>


-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*

Reasonably Related Threads

Search for more seemingly similar threads

dovecot - Apr 2017 - confused with ssl settings and some error - need help

confused with ssl settings and some error - need help

confused with ssl settings and some error - need help

confused with ssl settings and some error - need help

Reasonably Related Threads