I'm researching the reason why TLS/SSL is not using over HTTP. Other protocols, such as SMTP, POP3, FTP, etc can be used on SSL ports (SMTPS, POP3S, FTPS) for the first way, and the second way is to use STARTTLS option in the current port with the extension (SMTP example) There is a popular way to use the second way (STARTTLS) on email protocols, but why is http not using STARTTLS? I found RFC TLS within HTTP/1.1, but it is not using nowadays (or maybe i havent seen yet)
We have an openldap server and don't want to allow unencrypted communication, so acceptable is either tls over port 389 (starttls) or ssl over 636 (ldaps).
As we use slapd.conf for configuration, olcSecurity isn't an option.
TLSCipherSuite seems to be the way to do it with slapd.conf. But when using that slapd either doesn't start or ignores the settings (i.e. accepts unencrypted requests).
slapd doesn't start (error: TLS init def ctx failed: -1) when using:
- TLSCipherSuite ALL
- TLSCipherSuite Default
- TLSCipherSuite ALL:!NULL
- TLSCipherSuite ALL:!aNULL
- TLSCipherSuite AES256-SHA #one of the ciphers offered by openssl
slapd starts but accepts unencrypted requests when using:
- TLSCipherSuite NORMAL
- TLSCipherSuite NORMAL:!NULL #would be acceptable
- TLSCipherSuite !NULL #would be acceptable
We test with
ldapsearch -L -x -W -h [SERVER] -D [USER] - b [SEARCHBASE] uid=[USER]
(unencrypted)
and
ldapsearch -L -x -W -ZZ -h [SERVER] -D [USER] - b [SEARCHBASE] uid=[USER]
(encrypted)
The os openldap is running on is debian 8.7. The openldap version seems to be using gnutls, not openssl, so that may be the reason for the problems.
But the last three TLSCipherSuite variations seem to be valid syntax, at least slapd starts without errors. Why doesn't !NULL prevent slapd from accepting unencrypted requests? The last two (use any cipher available but don't allow no cipher) would be acceptable.
Are additional settings / parameters required?
Note that we tried the suggestions given here (as described above) but that didn't work.
I start build my first cloud server: Ubuntu 16.04 with postfix.
Question is how can i configure postfix to use TLSv1.2 when i send mail from my webshop?
When my webshop sending mail to my postfix server it uses TLSv1 Here is log:
postfix/submission/smtpd[19111]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
in my webshop i set in config: use: TLS port: 587
Thanks J
My server info:
Ubuntu 16.04
postfix:
Installed: 3.1.0-3
openssl:
Installed: 1.0.2h-1+deb.sury.org~xenial+1
Here is log from postfix: can see mail come in with TLSv1 ... :(
Sep 19 19:10:56 ubuntu postfix/master[6992]: daemon started -- version 3.1.0, configuration /etc/postfix
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: connect from domainname.com[xxx.xxx.xxx.xxx]
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: Anonymous TLS connection established from domainname.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: 803AB41C0A: client=domainname.com[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=raitis
Sep 19 19:11:04 ubuntu postfix/cleanup[7131]: 803AB41C0A: message-id=<[email protected]>
Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: from=<[email protected]>, size=694, nrcpt=1 (queue active)
Sep 19 19:11:04 ubuntu postfix/submission/smtpd[7126]: disconnect from domainname.com[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Sep 19 19:11:04 ubuntu postfix/smtp[7133]: Trusted TLS connection established to gmail-smtp-in.l.google.com[66.102.1.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Sep 19 19:11:04 ubuntu postfix/smtp[7133]: 803AB41C0A: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[66.102.1.26]:25, delay=0.43, delays=0.06/0.04/0.2/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1474305064 14si1756669wmn.119 - gsmtp)
Sep 19 19:11:04 ubuntu postfix/qmgr[7010]: 803AB41C0A: removed
master.cf
smtp inet n - - - - smtpd
smtpd pass n - - - - smtpd
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtp_tls_mandatory_protocols=TLSv1
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
I have a mail server that has a self signed SSL certificate.
I use Thunderbird to access this server, and it asks me to accept this certificate.
So lets say I accept this in a semi secure location, for example on a local network. Then move on to an insecure net with my certificate accepted in Thunderbird email client.
Thunderbird is set to use STARTTLS to the email server.
Is it so that once this certificate is accepted, it is impossible to do a man in the middle attack. For somebody to make use of this public self signed SSL certificate they also need a private key that the mail server keeps?
The red flag is if Thunderbird one day suddenly wants me to accept a new certificate from the mail server.
I've setup a Postfix + Courier server and have a Rails app configured with the SMTP server settings. Whenever the Rails app tries to send an email, this is what appears in the Postfix log (additional log verbosity set in master.cf)
Feb 22 03:57:24 alpha postfix/smtpd[1601]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 22 03:57:24 alpha postfix/smtpd[1601]: smtp_get: EOF
Feb 22 03:57:24 alpha postfix/smtpd[1601]: match_hostname: localhost ~? 127.0.0.0/8
Feb 22 03:57:24 alpha postfix/smtpd[1601]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
Feb 22 03:57:24 alpha postfix/smtpd[1601]: lost connection after STARTTLS from localhost[127.0.0.1]
Feb 22 03:57:24 alpha postfix/smtpd[1601]: disconnect from localhost[127.0.0.1]
Feb 22 03:57:24 alpha postfix/smtpd[1601]: master_notify: status 1
Feb 22 03:57:24 alpha postfix/smtpd[1601]: connection closed
Any ideas as to why it's losing the connection after authentication?