Weak Ciphers auf Port 995/3 (Dovecot/Postfix)

Postfix, QMail, Sendmail, Dovecot, Cyrus, Courier, Anti-Spam
Anonymous

Weak Ciphers auf Port 995/3 (Dovecot/Postfix)

Post by Anonymous » 2008-04-02 20:52

Hallo,

habe einen Mailserver eingerichtet, der jetzt auch soweit perfekt läuft.
(Postfix/Dovecot/Squirrelmail).

Da der Server bei Strato liegt und die einen SecurityScan anbieten (Nessus)
habe ich diesen mal laufen lassen und ich bekomme immer folgendes
Sicherheitsleck angezeigt :

Weak Supported SSL Ciphers Suites [ General ] Risk: Medium
Port: 995
Synopsis :
The remote service supports the use of weak SSL ciphers.
Description :
The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.
See also :
3
http://www.openssl.org/docs/apps/ciphers.html
Solution :
Reconfigure the affected application if possible to avoid use of weak
ciphers.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output :
Here is the list of weak SSL ciphers supported by the remote server :
Null Ciphers (no encryption)
SSLv3
NULL−MD5 Kx=RSA Au=RSA Enc=None Mac=MD5
NULL−SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
TLSv1
NULL−MD5 Kx=RSA Au=RSA Enc=None Mac=MD5
NULL−SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
Low Strength Ciphers (< 56−bit key)
SSLv3
EXP−ADH−DES−CBC−SHA Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP−ADH−RC4−MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP−EDH−RSA−DES−CBC−SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−DES−CBC−SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−RC2−CBC−MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP−RC4−MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP−EDH−RSA−DES−CBC−SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−ADH−DES−CBC−SHA Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP−ADH−RC4−MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP−DES−CBC−SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−RC2−CBC−MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP−RC4−MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}


Hier noch ein Auszug aus der /etc/dovecot/dovecot.conf :

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.
ssl_cert_file = /etc/ssl/certs/dovecot.pem

ssl_key_file = /etc/ssl/private/dovecot.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter.
#ssl_key_password =

# File containing trusted SSL certificate authorities. Usually not needed.
# The CAfile should contain the CA-certificate(s) followed by the matching
# CRL(s). CRL checking is new in dovecot .rc1
#ssl_ca_file =

# Request client to send a certificate.
#ssl_verify_client_cert = no

# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168

# SSL ciphers to use
ssl_cipher_list = SSLv3:TLSv1:!eNull:!aNull:!MEDIUM:!LOW:!SSLv2

# Show protocol level SSL errors.
verbose_ssl = yes


Wie gesagt, läuft der Server perfekt (pop3s, imaps) - laut /var/log/mail.log startet dovecot ohne
Probleme.

Hat da jemand einen Rat ? Aus der Doku zu openssl und ciphers werde ich nicht so ganz schlau, deshalb habe
ich in der ssl_cipher_list schon einiges ausprobiert, jedoch ohne Erfolg.

Vielen Dank schonmals

Grüsse Darthrox

freddy36
RSAC
Posts: 277
Joined: 2008-03-20 17:31

Re: Weak Ciphers auf Port 995/3 (Dovecot/Postfix)

Post by freddy36 » 2008-04-02 21:08

Mit

Code: Select all

openssl ciphers -v '-ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:!SSLv2:HIGH'
mal gucken ob nach was dabei ist was dir nicht passt und entsprechend anpassen.

EDIT:
Doku dazu:
http://www.openssl.org/docs/apps/ciphers.html

Anonymous

Re: Weak Ciphers auf Port 995/3 (Dovecot/Postfix)

Post by Anonymous » 2008-04-03 20:49

Vielen Dank !

Hat perfekt geklappt !

/etc/dovecot/dovecot.conf :

Code: Select all

ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:!SSLv2:HIGH


Grüsse

DR