habe einen Mailserver eingerichtet, der jetzt auch soweit perfekt läuft.
(Postfix/Dovecot/Squirrelmail).
Da der Server bei Strato liegt und die einen SecurityScan anbieten (Nessus)
habe ich diesen mal laufen lassen und ich bekomme immer folgendes
Sicherheitsleck angezeigt :
Hier noch ein Auszug aus der /etc/dovecot/dovecot.conf :Weak Supported SSL Ciphers Suites [ General ] Risk: Medium
Port: 995
Synopsis :
The remote service supports the use of weak SSL ciphers.
Description :
The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.
See also :
3
http://www.openssl.org/docs/apps/ciphers.html
Solution :
Reconfigure the affected application if possible to avoid use of weak
ciphers.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output :
Here is the list of weak SSL ciphers supported by the remote server :
Null Ciphers (no encryption)
SSLv3
NULL−MD5 Kx=RSA Au=RSA Enc=None Mac=MD5
NULL−SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
TLSv1
NULL−MD5 Kx=RSA Au=RSA Enc=None Mac=MD5
NULL−SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
Low Strength Ciphers (< 56−bit key)
SSLv3
EXP−ADH−DES−CBC−SHA Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP−ADH−RC4−MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP−EDH−RSA−DES−CBC−SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−DES−CBC−SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−RC2−CBC−MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP−RC4−MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP−EDH−RSA−DES−CBC−SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−ADH−DES−CBC−SHA Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
EXP−ADH−RC4−MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
EXP−DES−CBC−SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP−RC2−CBC−MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP−RC4−MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Wie gesagt, läuft der Server perfekt (pop3s, imaps) - laut /var/log/mail.log startet dovecot ohne# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =
# Disable SSL/TLS support.
ssl_disable = no
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter.
#ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed.
# The CAfile should contain the CA-certificate(s) followed by the matching
# CRL(s). CRL checking is new in dovecot .rc1
#ssl_ca_file =
# Request client to send a certificate.
#ssl_verify_client_cert = no
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168
# SSL ciphers to use
ssl_cipher_list = SSLv3:TLSv1:!eNull:!aNull:!MEDIUM:!LOW:!SSLv2
# Show protocol level SSL errors.
verbose_ssl = yes
Probleme.
Hat da jemand einen Rat ? Aus der Doku zu openssl und ciphers werde ich nicht so ganz schlau, deshalb habe
ich in der ssl_cipher_list schon einiges ausprobiert, jedoch ohne Erfolg.
Vielen Dank schonmals
Grüsse Darthrox