-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security scan fresh install of iRedmail #22
Comments
Change in configs: /etc/dovecot/dovecot.conf Best Regards |
TLSv1/1.1 are enabled on purpose to support old mail client applications and old MTAs. I think it's ok to force TLSv1.2 for POP3/IMAP, HTTPS and |
More security for ngnix to get A+ in https://www.ssllabs.com/ssltest/analyze.html File: /etc/nginx/templates/ssl.tmpl |
It would be better if you can show me the different settings compared to default iRedMail settings. :) |
Hello, Global :
For Amavis
For PostFix :
For Dovecot :
For nginx :
|
Fixed.
Not all DNS vendors support key length >= 2048, so we stick to 1024.
Why disable TLS? TLS is recommended over SSL. |
Please take note that StartTLS and TLS are not the same thing which confuse a lot of people. In a some of popular mail clients we can find the following pattern :
This is why i recommend to stop using the "TLS" term to mean StartTLS and recommend using "SSL" (which will be "real" TLS in practice but whatever).
For DKIM, then please let the user choose between 1024 or 2048 at the installation, depending of the situation. |
|
This is suggestion for the transition period (slowly drop SSL). We disable it by default, but leave tutorial to sysadmin to enable it if needed by their organization. Conclusion: no plan to enable it by default. Sorry. |
Could you please include the link to this tutorial in one the mails you get with the first setup domain then ? :) Like in the same mail i mentioned earlier : "If SMTPS (port 465) is required, please checkout this tutorial :" |
There is also the mention of "TLS" in in the "docs" repository. |
Hello, I'm reusing this issue to point out that i think we both misread RFC8314 at that time : https://twitter.com/bortzmeyer/status/1272957636368007168 "The RFC explains it. Basically, the security weaknesses of STARTTLS are well known (vulnerability to SSL striping) and therefore systematic TLS is required." So i still suggest that port 465 should be enabled using SSL/TLS (aka implicit encryption) by default. |
Also from the Wikipedia page you quote : https://docs.iredmail.org/enable.smtps.html |
Are we talking about RFC 8314 in your twitter thread? IF yes, and if i understand the RFC document correctly, what the RFC recommends is disable cleartext services. To achieve the goal, suggested steps are:
STARTTLS is the RECOMMENDED one, and dedicated port with SSL support is DEPRECATED. It doesn't mention smtps/465 is the future at all. |
Any related document of "the security weaknesses of STARTTLS"? |
btw, with default iRedMail settings, POP3/IMAP/SMTP/HTTPS connections between server and end user / MUA are forced to be secure connections:
|
yes.
No, the term "Implicit TLS" is clearly defined at section 2 from rfc8314 :
From section 3 :
STARTTLS is by definition an "explicit TLS" solution since you have to execute the STARTTLS command to use TLS.
Also no, now that we have a clear definition of "implicit TLS", section 3.3 from the rfc contradict your argument.
Also the IANA registry has been modified with that in mind : https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
https://www.kb.cert.org/vuls/id/555316 As stated in the RFC, if STARTTLS is implemented correctly, there shouldn't be any problem at the time being, tho it is recommended to use "Implicit TLS" which you can be sure, won't have this type of issue since there is no plaintext phase at all. If you can read French (or have a good translator), i highly recommend Bortzmeyer's blog post on this subject : https://www.bortzmeyer.org/8314.html So the recommended configuration, based on RFC8314 would be at that time :
and then in an ideal future :
As stated in section 1 :
|
Hello,
I just do security scan of fresh install iRedmail and this is report:
TLS Version 1.0 Protocol Detection on ports:
25, 110, 143, 587, 993, 995
Solution:
Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.
Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible.
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
TLS Version 1.1 Protocol Detection on ports:
25, 110, 143, 587, 993, 995
Solution:
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
Description
The remote service accepts connections encrypted using TLS 1.1.
TLS 1.1 lacks support for current and recommended cipher suites.
Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST) on ports:
25, 587
Solution:
Configure SSL/TLS servers to only use TLS 1.2 if supported.
Description
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
The text was updated successfully, but these errors were encountered: