Timeguard psl07 bind instructions

ubuntuusers.de

andi303

Registration date:
April 13, 2007

Posts: Count ...

October 22, 2011 10:22 am

Hello everybody,

a Trustwave security scan for PCI certification still states "SSLv2 supported". I have already deactivated the ciphers with

smtpd_tls_mandatory_protocols = SSLv3, TLSv1,! SSLv2 smtpd_tls_mandatory_ciphers = medium

Still I get at

openssl s_client -connect meinserver.tld: 25 -ssl2

still one

Does anyone have any idea why that could be? I used the Ubuntu 10.04 Server Guide as a guide when configuring Postfix, SASL and dovecot.

Many greetings, Andi

xabbuh

Registration date:
May 25, 2006

Posts: 6411

October 22, 2011 10:58 am (last edited: October 22, 2011 10:59 am)

Please show the output of.

EDIT: And which version of Postfix are you using?

greeting

HubertB

Registration date:
August 23, 2006

Posts: Count ...

Place of residence: Münster (Westf)

October 24, 2011 10:26 am (last edited: October 24, 2011 10:26 am)

So I have the following in my main.cf:

smtpd_tls_security_level = may smtpd_tls_protocols =! SSLv2 smtpd_tls_auth_only = yes

xabbuh

Registration date:
May 25, 2006

Posts: 6411

October 24, 2011 10:31 am

But that doesn't fully answer my questions.

HubertB

Registration date:
August 23, 2006

Posts: 37

Place of residence: Münster (Westf)

October 24, 2011 2:48 p.m.

andi303 wrote:

[...] Does anyone have any idea why this could be? [...]

At the wrong settings in your main.cf. Give it a try

smtpd_tls_security_level = may smtpd_tls_protocols =! SSLv2 smtpd_tls_auth_only = yes

and let me know if it works with it.

andi303

Registration date:
April 13, 2007

Posts: 7

October 24, 2011 3:31 pm

Nope. No difference with the suggested settings.

Here is the output of postconf -n:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
alias_database = hash: / etc / aliases alias_maps = hash: / etc / aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = / etc / postfix content_filter = smtp-amavis: [127.0.0.1]: 10024 mail interfaces = all mailbox_command = / usr / lib / dovecot / deliver -c /etc/dovecot/conf.d/01-dovecot-postfix.conf -n -m "$ {EXTENSION}" mailbox_size_limit = 0mydestination = mydomain.de, meinzweitedomain.de , localhost myhostname = mail.mydomain.de mynetworks = 127.0.0.0 / 8 [::ffff:127.0.0.0 ]/104 [:: 1] / 128 myorigin = / etc / mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree: $ {data_directory} / smtp_scache smtp_use_tls = yes smtpd_banner = $ myhostname ESMTP $ mail_name (Ubuntu) smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_doma in = $ myhostnamesmtpd_sasl_path = private / dovecot-auth = smtpd_sasl_security_options noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/mail.meinedomain.de.crt smtpd_tls_key_file = /etc/ssl/private/mail.meinedomain .de.key smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols =! SSLv2 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_level = may smtpd_tls_session_session_sache_database =:

HubertB

Registration date:
August 23, 2006

Posts: 37

Place of residence: Münster (Westf)

October 24, 2011 3:54 pm (last edited: October 24, 2011 3:55 pm)

AFAIK, smtpd_tls_mandatory_ * is only evaluated if smtpd_tls_security_level = encrypt (encrypt ⇒ mandatory). Since you are using smtpd_tls_security_level = may (may ⇒ opportunistic), you have to make the settings using the smtpd_tls_protocols parameter.

In your postconf -n output I find smtpd_tls_security_level = may and smtpd_tls_mandatory_ *, but this is the wrong pair of values. Please correct that and post your results.

andi303

Registration date:
April 13, 2007

Posts: 7

October 24, 2011 7:31 pm

Hm, that is desperate! I tried both "pair" variants for smtpd_tls_security_level = may and encrypted, both of which were unfortunately unsuccessful.

HubertB

Registration date:
August 23, 2006

Posts: 37

Place of residence: Münster (Westf)

October 24, 2011 9:37 PM

Hmm then unfortunately I don't know what to do next. I have it like this and it works:

# postconf -n | grep smtpd_tls smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/tls.crt smtpd_tls_key_file = /etc/ssl/private/tls.key smtpd_tls_protocols = SSLv2 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree: $ {} data_directory / smtpd_scache

xabbuh

Registration date:
May 25, 2006

Posts: 6411

October 25, 2011 3:39 PM

Which version of Postfix are you using now? The one compiled from the Lucid package sources or one yourself?

andi303

Registration date:
April 13, 2007

Posts: 7

October 25, 2011 4:50 pm

Is the version from the Lucid package sources in version 2.7.0-1ubuntu0.2