80
edits
Changes
From SME Server
Jump to navigationJump to searchno edit summary
config setprop pop3s TLSv1 disabled
config setprop pop3s TLSv1 disabled
signal-event email-update
signal-event email-update
{{Note box|This is only available on SME9, for SME10 POP3 is handled by dovecot.}}
===Dovecot===
For windows 10 require TLSv1.2 to be enabled Default is disabled
[root@sme10a4 ~]# config show dovecot
dovecot=service
Quotas=enabled
status=enabled
# config setprop dovecot TLSv1.2 enabled
# signal-event email-update
[root@sme10a4 ~]# config show dovecot
dovecot=service
Quotas=enabled
TLSv1.2=enabled
status=enabled
==Ciphers==
==Ciphers==
Save.
Save.
Now we can set an overall Cipher or per service.
Now we can set an overall Cipher, or per service.
Overall we can use (There is no separate setting for https)
Overall we can use (There is no separate setting for https)
config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
Expand all templates and restart:
Expand all templates and restart:
signal-event post-upgrade;signal-event reboot
signal-event post-upgrade;signal-event reboot
==Other settings==
==Other informations==
===Existing keys===
===Existing templates===
For reference here are the existing keys in /etc/e-smith/templates
For reference here are the existing keys in /etc/e-smith/templates
etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4: $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4: $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
those are fthe te,plate for protocols
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
=== Existing keys and properties ===
{| class="wikitable"
|+
!Key
!Property
!default SME9
!default SME10
!template
!informations
|-
|modSSL
|CipherSuite
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
|for httpd
|-
|dovecot
|CipherSuite
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
|default to modSSL(CipherSuite) if exists
|-
|ldap
|CipherSuite
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
|default to modSSL(CipherSuite) if exists
|-
|qpsmtpd
|CipherSuite
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
|default to modSSL(CipherSuite) if exists
|-
|pop3s
|CipherSuite
|'''none'''
|'''moved to dovecot'''
|
|'''needs template custom see above'''
|-
|httpd-e-smith
|SSLv2
|disabled
|disabled
| rowspan="5" |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
|
|-
|httpd-e-smith
|SSLv3
|disabled
|disabled
|
|-
|httpd-e-smith
|TLSv1
|disabled
|disabled
|
|-
|httpd-e-smith
|TLSv1.1
|disabled
|disabled
|
|-
|httpd-e-smith
|TLSv1.2
|'''none'''
|enabled
|
|-
|dovecot
|SSLv2
|disabled
|disabled
| rowspan="5" |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
|
|-
|dovecot
|SSLv3
|disabled
|disabled
|
|-
|dovecot
|TLSv1
|enabled
|disabled
|
|-
|dovecot
|TLSv1.1
|enabled
|disabled
|
|-
|dovecot
|TLSv1.2
|'''none'''
|enabled
|
|-
|pop3s
|SSLv2
|disabled
|'''moved to dovecot'''
| rowspan="4" |/etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl
|
|-
|pop3s
|SSLv3
|disabled
|'''moved to dovecot'''
|
|-
|pop3s
|TLSv1
|enabled
|'''moved to dovecot'''
|
|-
|pop3s
|TLSv1.1
|'''none'''
|'''moved to dovecot'''
|'''needs template custom''' for SME9
|-
|qpsmtpd
|SSLv2
|disabled
|disabled
|
|
|-
|qpsmtpd
|SSLv3
|disabled
|disabled
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
|
|-
|qpsmtpd
|TLSv1
|enabled
|enabled
|
|more permissive to allow oportunistic encrypted email transfer between smtp
|-
|qpsmtpd
|TLSv1.1
|'''none'''
|enabled
|
|more permissive to allow oportunistic encrypted email transfer between smtp
|-
|qpsmtpd
|TLSv1.2
|'''none'''
|enabled
|
|
|-
|ftp
|none
|none (no TLS on SME9)
|none
|/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
|TLSProtocol TLSv1.1 TLSv1.2
|-
|ldap
|SSLv3
|disabled
|'''removed'''
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
|TLSProtocolMin '3.0'(enabled) or '3.1'(disabled)
|-
|ldap
|TLSProtocolMin
|'''none'''
|TLSv1.2
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
|SSLv3,TLSv1,TLSv1,1, TLSv1.2
|}
===Preferred Ciphers===
===Preferred Ciphers===
When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do have a specific Cipher setting to restrict it to these:
When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do not have a specific Cipher setting to restrict it to these:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
==Testing==
===Sites===
https://www.ssllabs.com
https://www.ssllabs.com
https://testssl.sh/
and
https://github.com/drwetter/testssl.sh
===Commands===
Test with:
Test with:
openssl s_client -connect youserver.com:465 -tls1_1
openssl s_client -connect youserver.com:465 -tls1_1
Note: if you server supports the protocal
Note: if your server supports the protocol, You will get:
You will get:
Protocol : TLSvX
Protocol : TLSvX
Cipher : XXX
Cipher : XXX
(You my need to CTL C out)
(You my need to CTL C out)
If you server does not support the protocal, you will get
If your server does not support the protocol, you will get
Secure Renegotiation IS NOT supported
Secure Renegotiation IS NOT supported
[[category:developer]]
[[category:advanced]]
