1 (edited by broth 2014-02-11 15:53:51)

Topic: Implementing security recommendations

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian 7.1
- Related log if you're reporting an issue:
====

Hello Zhang,

I was following the recent security discussions and I found out that the current iRedMail installation could be improved a bit according to https://bettercrypto.org/static/applied … dening.pdf

I was implementing most of the recommendations of Apache, Dovecot and Postfix and it works very well with all of our customers.
Maybe you can review the changes (these are only a few which are required) and implement these secure defaults into the standard iRedMail installations.

In addition it would be great to have SMTP via SSL (TCP Port 465) activated by default in Postfix and iptables Firewall.
I wonder why it's commented out in the master.cf file.

Thank you!

Best regards,
Bernhard

2

Re: Implementing security recommendations

Hi Bernhard,

Thanks for your sharing, I will check your link later (out of office now).

About smtp over ssl, it's deprecated and all mail server admins are encouraged to use smtp over tls (port 587, aka submission) instead. Hope it helps.

3 (edited by broth 2014-02-12 23:52:00)

Re: Implementing security recommendations

FYI:

Following document in German explains how to activate PFS in dovecot and postfix:

http://www.heinlein-support.de/blog/sec … d-dovecot/

Basic steps for postfix:

openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

postconf -e "smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem"
postconf -e "smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem"
postconf -e "smtpd_tls_eecdh_grade = strong"
postconf -e "tls_preempt_cipherlist = yes"
postconf -e "smtpd_tls_loglevel = 1"
postconf -e "smtp_tls_loglevel = 1"

postfix reload

Dovecot already supports DHE by default but is not enabled in the log files.
Adjust /etc/dovecot/conf.d/10-logging.conf to add %k:

login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"

How to test:

SMTP:
openssl s_client -starttls smtp -connect your-server.com:25

IMAP:
openssl s_client -starttls imap -connect your-server.com:143

As cipher should be displayed ECDHE or DHE