What kind of test are you running? Aki> On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at poliman.pl> wrote: > > > I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test > still gives errors: > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record > mac > Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record > mac > Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record > mac > Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record > mac > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > > 2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at poliman.pl>: > > > Cipher list which You post provide better compatibility or security than > > those which I currently have? > > On older software version these cipher list works well and not generate > > any errors when I run Internal PCI scan test from > > https://cloud.tenable.com for another server. But for new server with > > newer software during test I got errors in mail.err. > > > > 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > > >> > >> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> > >> wrote: > >> > > >> > > >> > Thank You for answers. But: > >> > 1. How should be properly configured ssl_cipher_list? > >> > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > >> > >> To disable non-EC DH, use: > >> > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > >> > >> > 2. Ok, removed !TLSv1 !TLSv1.1. > >> > 3. Strange thing with ssl_protocols and ssl_cipher_list, because on > >> older > >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two > >> > lines looks exactly this same and no errors in mail.err file and mailes > >> > works without any problem. > >> > 4. No, currently I don't use LMTP. > >> > >> it is possible that postfix is not causing this error. > >> > >> > > >> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > >> > > >> > > > >> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at poliman.pl> > >> wrote: > >> > > > > >> > > > > >> > > > Hi, > >> > > > To default dovecot.conf file I added (based on found documentation): > >> > > > ssl = required > >> > > > disable_plaintext_auth = yes #change default 'no' to 'yes' > >> > > > ssl_prefer_server_ciphers = yes > >> > > > ssl_options = no_compression > >> > > > ssl_dh_parameters_length = 2048 > >> > > > ssl_cipher_list > >> > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > >> > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > >> > > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > >> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > >> > > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > >> > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > >> > > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > >> > > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > >> > > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > >> > > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > >> > > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! > >> > > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- > >> > > CBC3-SHA:!KRB5-DES-CBC3-SHA > >> > > > > >> > > > >> > > This looks rather cumbersome way to define ciphers. > >> > > > >> > > > 1. Are these settings good or can be improved? > >> > > > 2. Is this line proper: > >> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > >> > > > >> > > Well if you only want to support TLSv1.2, which might lead into > >> trouble. > >> > > > >> > > > or maybe should be: > >> > > > ssl_protocols = !SSLv2 !SSLv3 > >> > > > 3. Last thing. I have below errors (they appear in loop in mail.err > >> log > >> > > > file): > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked > >> error: > >> > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked > >> error: > >> > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version > >> number > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked > >> error: > >> > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or > >> bad > >> > > record > >> > > > mac > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked > >> error: > >> > > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher > >> > > > >> > > This means your client did not support your enabled ciphers. > >> > > > >> > > > > >> > > > When I setup in postfix main.cf file (other lines default): > >> > > > tls_ssl_options = no_ticket, no_compression > >> > > > tls_preempt_cipherlist = yes > >> > > > smtpd_sasl_security_options=noanonymous,noplaintext > >> > > > smtpd_sasl_tls_security_options=noanonymous,noplaintext > >> > > > smtpd_tls_mandatory_ciphers = high > >> > > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem > >> > > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I > >> > > don't > >> > > > know what should be setup > >> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, > >> PSK, > >> > > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > >> > > ECDHE-RSA-DES-CBC3-SHA, > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > >> > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > >> > > aECDH, > >> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > >> > > > > >> > > > Is between dovecot and postfix some communication using above > >> ciphers or > >> > > > something that generate that errors in log or maybe some public > >> client > >> > > try > >> > > > connect and can't establish connection? > >> > > > > >> > > > >> > > If you are using LMTP, then some of those settings will cause changes > >> in > >> > > how LMTP works as well. > >> > > > >> > > > >> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and > >> openssl > >> > > > 1.0.2k. > >> > > > -- > >> > > > > >> > > > *Pozdrawiam / Best Regards* > >> > > > *Piotr Bracha* > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > *tel. 534 555 877* > >> > > > > >> > > > *serwis at poliman.pl <serwis at poliman.pl>* > >> > > > >> > > Aki > >> > > > >> > > >> > > >> > > >> > -- > >> > > >> > *Pozdrawiam / Best Regards* > >> > *Piotr Bracha* > >> > > >> > > >> > > >> > > >> > *tel. 534 555 877* > >> > > >> > *serwis at poliman.pl <serwis at poliman.pl>* > >> > > > > > > > > -- > > > > *Pozdrawiam / Best Regards* > > *Piotr Bracha* > > > > > > > > > > *tel. 534 555 877* > > > > *serwis at poliman.pl <serwis at poliman.pl>* > > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > *tel. 534 555 877* > > *serwis at poliman.pl <serwis at poliman.pl>*
Poliman - Serwis
2017-May-05 05:21 UTC
confused with ssl settings and some error - need help
Internal PCI Scan on Tenable.io website. Of course after register account. 2017-04-30 9:11 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:> What kind of test are you running? > > Aki > > > On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at poliman.pl> > wrote: > > > > > > I turned of ssl_cipher_list in dovecot.conf file (so it's default) but > test > > still gives errors: > > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record > > mac > > Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record > > mac > > Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record > > mac > > Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record > > mac > > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > > > > > 2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at poliman.pl>: > > > > > Cipher list which You post provide better compatibility or security > than > > > those which I currently have? > > > On older software version these cipher list works well and not generate > > > any errors when I run Internal PCI scan test from > > > https://cloud.tenable.com for another server. But for new server with > > > newer software during test I got errors in mail.err. > > > > > > 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > > > > >> > > >> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> > > >> wrote: > > >> > > > >> > > > >> > Thank You for answers. But: > > >> > 1. How should be properly configured ssl_cipher_list? > > >> > > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU > > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > >> > > >> To disable non-EC DH, use: > > >> > > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > > >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > >> > > >> > 2. Ok, removed !TLSv1 !TLSv1.1. > > >> > 3. Strange thing with ssl_protocols and ssl_cipher_list, because on > > >> older > > >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these > two > > >> > lines looks exactly this same and no errors in mail.err file and > mailes > > >> > works without any problem. > > >> > 4. No, currently I don't use LMTP. > > >> > > >> it is possible that postfix is not causing this error. > > >> > > >> > > > >> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > >> > > > >> > > > > >> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis < > serwis at poliman.pl> > > >> wrote: > > >> > > > > > >> > > > > > >> > > > Hi, > > >> > > > To default dovecot.conf file I added (based on found > documentation): > > >> > > > ssl = required > > >> > > > disable_plaintext_auth = yes #change default 'no' to 'yes' > > >> > > > ssl_prefer_server_ciphers = yes > > >> > > > ssl_options = no_compression > > >> > > > ssl_dh_parameters_length = 2048 > > >> > > > ssl_cipher_list > > >> > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > > >> > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > > >> > > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > > >> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > > >> > > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > > >> > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > > >> > > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > > >> > > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > > >> > > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > > >> > > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > > >> > > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! > > >> > > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- > > >> > > CBC3-SHA:!KRB5-DES-CBC3-SHA > > >> > > > > > >> > > > > >> > > This looks rather cumbersome way to define ciphers. > > >> > > > > >> > > > 1. Are these settings good or can be improved? > > >> > > > 2. Is this line proper: > > >> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > > >> > > > > >> > > Well if you only want to support TLSv1.2, which might lead into > > >> trouble. > > >> > > > > >> > > > or maybe should be: > > >> > > > ssl_protocols = !SSLv2 !SSLv3 > > >> > > > 3. Last thing. I have below errors (they appear in loop in > mail.err > > >> log > > >> > > > file): > > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: > Stacked > > >> error: > > >> > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown > protocol > > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: > Stacked > > >> error: > > >> > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version > > >> number > > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: > Stacked > > >> error: > > >> > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed > or > > >> bad > > >> > > record > > >> > > > mac > > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: > Stacked > > >> error: > > >> > > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher > > >> > > > > >> > > This means your client did not support your enabled ciphers. > > >> > > > > >> > > > > > >> > > > When I setup in postfix main.cf file (other lines default): > > >> > > > tls_ssl_options = no_ticket, no_compression > > >> > > > tls_preempt_cipherlist = yes > > >> > > > smtpd_sasl_security_options=noanonymous,noplaintext > > >> > > > smtpd_sasl_tls_security_options=noanonymous,noplaintext > > >> > > > smtpd_tls_mandatory_ciphers = high > > >> > > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem > > >> > > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers > but I > > >> > > don't > > >> > > > know what should be setup > > >> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, > > >> PSK, > > >> > > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > > >> > > ECDHE-RSA-DES-CBC3-SHA, > > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > >> > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, > PSK, > > >> > > aECDH, > > >> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > ECDHE-RSA-DES-CBC3-SHA, > > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > >> > > > > > >> > > > Is between dovecot and postfix some communication using above > > >> ciphers or > > >> > > > something that generate that errors in log or maybe some public > > >> client > > >> > > try > > >> > > > connect and can't establish connection? > > >> > > > > > >> > > > > >> > > If you are using LMTP, then some of those settings will cause > changes > > >> in > > >> > > how LMTP works as well. > > >> > > > > >> > > > > >> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and > > >> openssl > > >> > > > 1.0.2k. > > >> > > > -- > > >> > > > > > >> > > > *Pozdrawiam / Best Regards* > > >> > > > *Piotr Bracha* > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > *tel. 534 555 877* > > >> > > > > > >> > > > *serwis at poliman.pl <serwis at poliman.pl>* > > >> > > > > >> > > Aki > > >> > > > > >> > > > >> > > > >> > > > >> > -- > > >> > > > >> > *Pozdrawiam / Best Regards* > > >> > *Piotr Bracha* > > >> > > > >> > > > >> > > > >> > > > >> > *tel. 534 555 877* > > >> > > > >> > *serwis at poliman.pl <serwis at poliman.pl>* > > >> > > > > > > > > > > > > -- > > > > > > *Pozdrawiam / Best Regards* > > > *Piotr Bracha* > > > > > > > > > > > > > > > *tel. 534 555 877* > > > > > > *serwis at poliman.pl <serwis at poliman.pl>* > > > > > > > > > > > -- > > > > *Pozdrawiam / Best Regards* > > *Piotr Bracha* > > > > > > > > > > *tel. 534 555 877* > > > > *serwis at poliman.pl <serwis at poliman.pl>* >-- *Pozdrawiam / Best Regards* *Piotr Bracha* *tel. 534 555 877* *serwis at poliman.pl <serwis at poliman.pl>*
Then it's rather expected that you'll get some TLS errors, especially when tenable.io tests for algorithms to see which ones work and which ones wont. Aki> On May 5, 2017 at 8:21 AM Poliman - Serwis <serwis at poliman.pl> wrote: > > > Internal PCI Scan on Tenable.io website. Of course after register account. > > 2017-04-30 9:11 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > > What kind of test are you running? > > > > Aki > > > > > On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at poliman.pl> > > wrote: > > > > > > > > > I turned of ssl_cipher_list in dovecot.conf file (so it's default) but > > test > > > still gives errors: > > > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > > Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number > > > Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > > record > > > mac > > > Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > > record > > > mac > > > Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > > record > > > mac > > > Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > > record > > > mac > > > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > > Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: > > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > > Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > > > error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext > > > > > > > > > 2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at poliman.pl>: > > > > > > > Cipher list which You post provide better compatibility or security > > than > > > > those which I currently have? > > > > On older software version these cipher list works well and not generate > > > > any errors when I run Internal PCI scan test from > > > > https://cloud.tenable.com for another server. But for new server with > > > > newer software during test I got errors in mail.err. > > > > > > > > 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > > > > > > >> > > > >> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> > > > >> wrote: > > > >> > > > > >> > > > > >> > Thank You for answers. But: > > > >> > 1. How should be properly configured ssl_cipher_list? > > > >> > > > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU > > > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > > >> > > > >> To disable non-EC DH, use: > > > >> > > > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > > > >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > > >> > > > >> > 2. Ok, removed !TLSv1 !TLSv1.1. > > > >> > 3. Strange thing with ssl_protocols and ssl_cipher_list, because on > > > >> older > > > >> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these > > two > > > >> > lines looks exactly this same and no errors in mail.err file and > > mailes > > > >> > works without any problem. > > > >> > 4. No, currently I don't use LMTP. > > > >> > > > >> it is possible that postfix is not causing this error. > > > >> > > > >> > > > > >> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > > >> > > > > >> > > > > > >> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis < > > serwis at poliman.pl> > > > >> wrote: > > > >> > > > > > > >> > > > > > > >> > > > Hi, > > > >> > > > To default dovecot.conf file I added (based on found > > documentation): > > > >> > > > ssl = required > > > >> > > > disable_plaintext_auth = yes #change default 'no' to 'yes' > > > >> > > > ssl_prefer_server_ciphers = yes > > > >> > > > ssl_options = no_compression > > > >> > > > ssl_dh_parameters_length = 2048 > > > >> > > > ssl_cipher_list > > > >> > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: > > > >> > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: > > > >> > > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+ > > > >> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > > > >> > > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- > > > >> > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- > > > >> > > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > > > >> > > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: > > > >> > > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256: > > > >> > > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128- > > > >> > > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:! > > > >> > > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES- > > > >> > > CBC3-SHA:!KRB5-DES-CBC3-SHA > > > >> > > > > > > >> > > > > > >> > > This looks rather cumbersome way to define ciphers. > > > >> > > > > > >> > > > 1. Are these settings good or can be improved? > > > >> > > > 2. Is this line proper: > > > >> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 > > > >> > > > > > >> > > Well if you only want to support TLSv1.2, which might lead into > > > >> trouble. > > > >> > > > > > >> > > > or maybe should be: > > > >> > > > ssl_protocols = !SSLv2 !SSLv3 > > > >> > > > 3. Last thing. I have below errors (they appear in loop in > > mail.err > > > >> log > > > >> > > > file): > > > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: > > Stacked > > > >> error: > > > >> > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown > > protocol > > > >> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: > > Stacked > > > >> error: > > > >> > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version > > > >> number > > > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: > > Stacked > > > >> error: > > > >> > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed > > or > > > >> bad > > > >> > > record > > > >> > > > mac > > > >> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: > > Stacked > > > >> error: > > > >> > > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > > cipher > > > >> > > > > > >> > > This means your client did not support your enabled ciphers. > > > >> > > > > > >> > > > > > > >> > > > When I setup in postfix main.cf file (other lines default): > > > >> > > > tls_ssl_options = no_ticket, no_compression > > > >> > > > tls_preempt_cipherlist = yes > > > >> > > > smtpd_sasl_security_options=noanonymous,noplaintext > > > >> > > > smtpd_sasl_tls_security_options=noanonymous,noplaintext > > > >> > > > smtpd_tls_mandatory_ciphers = high > > > >> > > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem > > > >> > > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers > > but I > > > >> > > don't > > > >> > > > know what should be setup > > > >> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, > > > >> PSK, > > > >> > > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > > > >> > > ECDHE-RSA-DES-CBC3-SHA, > > > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > > >> > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, > > PSK, > > > >> > > aECDH, > > > >> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, > > ECDHE-RSA-DES-CBC3-SHA, > > > >> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA > > > >> > > > > > > >> > > > Is between dovecot and postfix some communication using above > > > >> ciphers or > > > >> > > > something that generate that errors in log or maybe some public > > > >> client > > > >> > > try > > > >> > > > connect and can't establish connection? > > > >> > > > > > > >> > > > > > >> > > If you are using LMTP, then some of those settings will cause > > changes > > > >> in > > > >> > > how LMTP works as well. > > > >> > > > > > >> > > > > > >> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and > > > >> openssl > > > >> > > > 1.0.2k. > > > >> > > > -- > > > >> > > > > > > >> > > > *Pozdrawiam / Best Regards* > > > >> > > > *Piotr Bracha* > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > *tel. 534 555 877* > > > >> > > > > > > >> > > > *serwis at poliman.pl <serwis at poliman.pl>* > > > >> > > > > > >> > > Aki > > > >> > > > > > >> > > > > >> > > > > >> > > > > >> > -- > > > >> > > > > >> > *Pozdrawiam / Best Regards* > > > >> > *Piotr Bracha* > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > *tel. 534 555 877* > > > >> > > > > >> > *serwis at poliman.pl <serwis at poliman.pl>* > > > >> > > > > > > > > > > > > > > > > -- > > > > > > > > *Pozdrawiam / Best Regards* > > > > *Piotr Bracha* > > > > > > > > > > > > > > > > > > > > *tel. 534 555 877* > > > > > > > > *serwis at poliman.pl <serwis at poliman.pl>* > > > > > > > > > > > > > > > > -- > > > > > > *Pozdrawiam / Best Regards* > > > *Piotr Bracha* > > > > > > > > > > > > > > > *tel. 534 555 877* > > > > > > *serwis at poliman.pl <serwis at poliman.pl>* > > > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > > > > > *tel. 534 555 877* > > *serwis at poliman.pl <serwis at poliman.pl>*
Apparently Analagous Threads
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help