Hello all: For several years I have been running the following in a Linux server. Dovecot Version: 2.0.9 *IMAP:* Connection Security: SSL/TLS Port: 993 Authentication Method: Normal Password *SMTP:* Connection Security: STARTTLS Port: 587 Authentication Method: Normal Password The E-mail client is Thunderbird on Windows. I am preparing a new server, with Dovecot 2.2.36 and would like to know the currently recommended protocols. Should I stick to what I have? I would prefer to start with the easiest configuration possible, which I will revise later. This is the command that I have been using to verify the server's functionality: % openssl s_client -connect localhost:imaps TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201109/1cd07d2b/attachment.html>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Greetings, On Mon, 2020-11-09 at 23:42 -0600, Raymond Herrera wrote:> For several years I have been running the following in a Linux > server. > > Dovecot Version: 2.0.9 > > *IMAP:* > Connection Security: SSL/TLS > Port: 993 > Authentication Method: Normal Password > > *SMTP:* > Connection Security: STARTTLS > Port: 587 > Authentication Method: Normal PasswordPretty standard setup. Personally I am using Postfix for SMTP/Submission and Dovecot for IMAP - - both with STARTTLS. I use a couple of MX's to actually do the initial recieving of email, so everything auth related (and adress related) is in a multi-master LDAP server on each machine. Using Dovetcot-SASL for SMTP auth too.> The E-mail client is Thunderbird on Windows.I my experience pretty much any client works with this setup. - -- Nikolai Lusan <nikolai at lusan.id.au> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl+qKq4ACgkQ4ZaDRV2V L6TjxQ/+Kp2gNY3p9GdXEc0rc3cRH1ceEpenegg2JEHCQ31TRO/gchlKV3+peVZR VK6HNukNXq+bIWNMe/tN1ow/8gEn17TFtOe4+kVKnkFfAb2RpqaXEWVGm+NSyVZG yQQizq4t1c83oZV91v3+9A8MVOcKfRQ7nBgqiK1KrK+us/pGBap1Q9vxxdp2EKY2 kFqKdhl/AQUAPEcFdH1flnKha5reA4MzbVPp3jemyRZcDDYuAFMf85tv5uQTJKkc bBmWo0buknxczBCZcyfcc9K6MPerHVSM6Z1dgLzbM3j/t+Le2jWYZDtSsBEc+HgY sBI/8NGtv0vA2GnHnuXus+wWoJ7Uya/xYIPW2imnP1bK8P3GwT5R7Z0gNmMyJl0A bKVNaT4lpJI2VxnhUe2WUwEXSWdUU2NTRrg1a+pXcVuwI7ej0KefDgfjy8ERGzkp /bJ+8kE2ZwpFx5+V+H+hRYB9Ik7MZkKTyIYqf/2/srveJB8zmuhPZUpE6qZyFESW lI8Hg/Rjp884Y5p+Regel5lzWiqlCdfj7lz1gJqgjuMWx2rfJyIzUBeIuWO6oj+W 9kpk3EyaQ37/2DPSh9xwp/GMocN4Ey8GPjYhXn+pokRGryPN48sx1tywiAtPa9gQ yiVR82ZMQxsuqAhNzW21tViRukkESeEj/WNEG4vPje/3KxOWpKg=AT+Y -----END PGP SIGNATURE-----
On 10/11/20 1:52 pm, Nikolai Lusan wrote:> Greetings, > > On Mon, 2020-11-09 at 23:42 -0600, Raymond Herrera wrote: > > For several years I have been running the following in a Linux > > server. > > > Dovecot Version: 2.0.9 > > > *IMAP:* > > Connection Security: SSL/TLS > > Port: 993 > > Authentication Method: Normal Password> > *SMTP:* > > Connection Security: STARTTLS > > Port: 587 > > Authentication Method: Normal Password > > Pretty standard setup. > > Personally I am using Postfix for SMTP/Submission and Dovecot for IMAP > - both with STARTTLS. I use a couple of MX's to actually do the initial > recieving of email, so everything auth related (and adress related) is > in a multi-master LDAP server on each machine. Using Dovetcot-SASL for > SMTP auth too. > > > The E-mail client is Thunderbird on Windows. > > I my experience pretty much any client works with this setup. >I also use STARTTLS, though I expose that on both IMAP and IMAPS ports, which is consistent with a number of major imap providers. Selection of ciphers is important. I researched this recently and use this stanza in the configuration ssl = required ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes The defaults in dovecot are shown commented in conf.d/10-ssl.conf. They are not best practice for security.>-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xFABD47B0F98E88C9.asc Type: application/pgp-keys Size: 655 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/6244839d/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/6244839d/attachment.sig>
Good. I am going to focus on the IMAP configuration and worry about SMTP later. The following is the relevant documentation. This is very straightforward: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/ My file 10-ssl.conf is untouched. However, this is the part that I would like to better understand: https://doc.dovecot.org/admin_manual/ssl/certificate_creation/ Before creating my own certificate (which I have done in the past for my old server), I am curious. Is there anything wrong with the one that comes with the distribution? ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem ssl_key = < /etc/pki/dovecot/private/dovecot.pem As I stated before, I am attempting to achieve the simplest installation possible which will be later tightened. Thanks! On 11/9/2020 11:52 PM, Nikolai Lusan wrote:> Greetings, > > On Mon, 2020-11-09 at 23:42 -0600, Raymond Herrera wrote: > > For several years I have been running the following in a Linux > > server. > > > Dovecot Version: 2.0.9 > > > *IMAP:* > > Connection Security: SSL/TLS > > Port: 993 > > Authentication Method: Normal Password > > > *SMTP:* > > Connection Security: STARTTLS > > Port: 587 > > Authentication Method: Normal Password > > Pretty standard setup. > > I my experience pretty much any client works with this setup. >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/6137ae08/attachment.html>
Am 10.11.20 um 06:42 schrieb Raymond Herrera:> I am preparing a new server, with Dovecot 2.2.36 and would like to know the currently recommended protocols. Should I stick to what I have? I would prefer to start with the easiest configuration possible, which I will revise later. > > This is the command that I have been using to verify the server's functionality:RFC 8314 suggest to prefer implicit TLS over STARTTLS https://tools.ietf.org/html/rfc8314#section-3 modern clients work mostly fine with that recommendation, too. Andreas
Good. The options provided by Thunderbird are: None, STARTTLS and SSL/TLS. So I will select the last one. Will I have to modify anything on the Dovecot side? So far, my only modification to the file 10-mail.conf has been this: mail_location = maildir:~/Mail Raymond On 11/10/2020 8:39 AM, A. Schulze wrote:> > Am 10.11.20 um 06:42 schrieb Raymond Herrera: >> I am preparing a new server, with Dovecot 2.2.36 and would like to know the currently recommended protocols. Should I stick to what I have? I would prefer to start with the easiest configuration possible, which I will revise later. >> >> This is the command that I have been using to verify the server's functionality: > RFC 8314 suggest to prefer implicit TLS over STARTTLS > https://tools.ietf.org/html/rfc8314#section-3 > > modern clients work mostly fine with that recommendation, too. > > Andreas-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/ea3f44a7/attachment.html>
After some experimenting with: (a) The Thunderbird client (b) The Linux command as client: % openssl s_client -connect dovecot-server:imaps I have arrived to a preliminary conclusion. The error that I am getting is this: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 It seems that the server certificate from the box is fine. I am guessing that the problem is that Dovecot asks for an SSL certificate that the Thunderbird client is not prepared to produce. I don't believe Thunderbird provides such capability (??). If that is the case, how do I configure Dovecot to not ask for a client certificate? Thanks, Raymond ps: If I am correct, the error message would be more informative as follows: "ssl3_read_bytes:sslv3 alert bad _*client*_ certificate". On 11/9/2020 11:42 PM, Raymond Herrera wrote:> > The E-mail client is Thunderbird on Windows. > > I am preparing a new server, with Dovecot 2.2.36 and would like to > know the currently recommended protocols. Should I stick to what I > have? I would prefer to start with the easiest configuration possible, > which I will revise later. > > This is the command that I have been using to verify the server's > functionality: > > > TIA > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/92b6c59b/attachment-0001.html>
On 11/10/20 7:07 AM, Raymond Herrera wrote:> I don't believe Thunderbird provides such capability (??).It does; works fine. fyi https://www.helmholtz-berlin.de/zentrum/locations/it/email/sig/cert-tbird_en.html> If that is the case, how do I configure Dovecot to not ask for a client certificate?in your ssl config, you can specify/override ssl reqt's for individual protocols. e.g. ... protocol imap { ssl_verify_client_cert = yes auth_ssl_require_client_cert = no ssl = required } protocol submission { ssl_verify_client_cert = yes auth_ssl_require_client_cert = no ssl = required } ... of course, change those^ params to your specific reqt's
On Tue, Nov 10, 2020 at 09:07:37AM -0600, Raymond Herrera wrote:> > I have arrived to a preliminary conclusion. The error that I am getting is > this: > > dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL > routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 >SSLv3 is no longer considered safe. You shouldn't use it. If the mail client program can't use something newer (I only allow TLSv2 and TLSv3), I would question whether it's a good choice. Because runaway spam is the kiss of death with blacklisting and IP reputation. Isn't sslv3 disallowed in the default config??? If it's only for reading and not sending mail, then just manually set it up as sslv3 allowed. Hopefully this is helpful. Debug logs can be helpful \o/, or just confusing :-[ but they are long to read through. Good luck! Chris Bennett
On Mon, 9 Nov 2020, Raymond Herrera wrote:> I am preparing a new server, with Dovecot 2.2.36 and would like to know the > currently recommended protocols. Should I stick to what I have? I would > prefer to start with the easiest configuration possible, which I will revise > later. > > This is the command that I have been using to verify the server's > functionality: > > % openssl s_client -connect localhost:imapsImplicit SSL (SSL/TLS) has the slight advantage over STARTTLS as a MITM cannot strip the STARTTLS server banner during the session handshake and downgrade the client to plaintext. However the most important security consideration are - set SSL version to at least TLS 1.2 to avoid known weakness in older versions. - set cipher list to avoid weak ciphers. One of many guides https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices - (client) enforce SSL connection (i.e. refuse plaintext sessions). Joseph Tam <jtam.home at gmail.com>
On 10/11/2020 13.42, Raymond Herrera wrote:> I am preparing a new server, with Dovecot 2.2.36 and would like to know the currently recommended protocols. Should I stick to what I have? I would prefer to start with the easiest configuration possible, which I will revise later.This is a pretty useful resource, I've found. https://ssl-config.mozilla.org/ You can choose a level of strictness to suit your environment, dovecot version etc. P.