postfix and dovecot tls/ssl

    Hello,


    I found this document: https://bettercrypto.org/static/applied-crypto-hardening.pdf
    It describes how to stronger the encryption of different services. By checking it I found (maybe) a problem regarding postfix server to server ssl connection.


    Postfix
    currently I-MSCP is supporting secure connections for the postfix service - but there are two missing configuration properties which are telling it to use it:
    (This can be tested using https://www.checktls.com/perl/TestSender.pl)

    Code
    1. smtp_tls_security_level = maysmtpd_tls_security_level = maytls_ssl_options = NO_COMPRESSION


    Can you include it in the I-MSCP configuration part?


    Short description:
    may = Tries to send and receive E-Mails using ssl encryption. If not possible send it plain text.
    NO_COMPRESSION: There could be a security risk using compression


    Dovecot
    like Postfix: disable compression


    Code
    1. ssl_options = no_compression

    Edited once, last by UncleSam: links should be clickable links ().

    Quote from UncleSam

    smtpd_tls_security_level = may

    That parameter is normally already added if you enable SSL for i-MSCP service:


    Code
    1. root@xenial:/usr/local/src/imscp# postconf smtpd_tls_security_level
    2. smtpd_tls_security_level = may
    3. root@xenial:/usr/local/src/imscp#


    Quote from UncleSam

    smtp_tls_security_level = may

    That parameter shouldn't be required unless your Postfix server acts as a client which is not the case with default setup. For instance this parameter is required when you use the smarthost listener.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @Nuxwin


    OK I removed the "smtp_tls_security_level = may" which is missing - and checked again. After removing it there was no ssl connection between the servers.


    So it seemed for me that it is acting as client. After searching in the internet I found an article which says that postfix ist always acting as server for incoming mails and as client for sending mails. If this is correct the "smtp_tls_security_level = may" setting is needed too (like it is now for my environment)).


    Sources: http://serverfault.com/a/521420 or http://www.ceus-now.com/when-does-postfix-act-like-a-client/


    I am not as deep into postfix as your are - so it would be great if you could check/verify that if possible. For me I am adding this client configuration setting because it is working and seem to be needed (for me).

    @UncleSam


    There is two different contexts here:


    1. smtpd_tls_security_level = may


    Here, we enable TLS in opportunistic mode, meaning that its usage is not mandatory. The clients (you, me ...) have the choice to connect to the SMTP server through a mail client using TLS or not.


    2. smtp_tls_security_level = may


    This parameter apply to the client side of the SMTP server (Postfix), eg, when postfix send a message to a remote SMTP server. As above "may" means that TLS is supported but not mandatory. The remote SMTP server can have TLS disabled and in this case, the connection will not be encrypted.


    So, ok, we can add that parameter to enable TLS on postfix client side but nothing will garantie that the SMTP server will really use TLS. This only depend on the remote server (supporting TLS or not).


    About the tls_ssl_options Postfix parameter


    That parameter is only available in Postfix version >= 2.11. Because we still support Ubuntu Precise (LTS), which provides older Postfix version, we cannot add it without adding a test in the server package. We like to prevent adding too many tests because maintenance would become a mess. To cover such case, administrators can always create a listener file which will add that parameter. Anyway, note that the NO_COMPRESSION value is not directly related to security but more about performance.


    About ssl_options Dovecot parameter


    As said above, the no_compression value is not directly related to security.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    @UncleSam


    A fix has been added in the 1.3.x branch. See:

    This fix will be part of next release.


    Thank you for your report.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support