Bug 35924

Summary: Check if perfect forward secrecy is enabled
Product: UCS Test Reporter: Sönke Schwardt-Krummrich <schwardt>
Component: MailAssignee: Dmitry Galkin <galkin>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: P5 CC: gohmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
What kind of report is it?: Development Internal What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 35923    
Bug Blocks:    

Description Sönke Schwardt-Krummrich univentionstaff 2014-09-15 09:18:25 CEST 
A test should be implemented that tests if TLS and PFS is enabled and working properly. Sending mails and receiving mails should be tested!

+++ This bug was initially created as a clone of Bug #35923 +++

We should enable Perfect Forward Secrecy:

* Execute the following commands during installation of univention-mail-postfix:
    $ openssl gendh -out /etc/postfix/dh_512.pem -2 512
    $ openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
    $ openssl gendh -out /etc/postfix/dh_2048.pem -2 2048
  And the new config options:
    smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
    smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
  This enables EDH in postfix.
* smtpd_tls_eecdh_grade = strong
  Currently the builtin default value "none" is used which disables ciphers based on EECDH key exchange.
* tls_preempt_cipherlist = yes
  Is currently ignored in UCS 3.x (postfix 2.7) but used in UCS 4. It should also be set.
* smtpd_tls_loglevel = 1
  smtp_tls_loglevel = 1
  Raise TLS loglevel from 0 to 1.

Please recheck also for missing options:
http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
Comment 1 Dmitry Galkin univentionstaff 2015-01-20 12:08:19 CET 
r57392:
  * Bug #35924: 40_mail/00check_forward_secrecy: check if Perfect Forward
    Secrecy is enabled.

The test greps the output of openssl s_client as in the Bug #35923.
Comment 2 Dmitry Galkin univentionstaff 2015-01-20 12:29:07 CET 
r57394:
  * Bug #35924: 40_mail/00delivery00basic: added delivery test case with tls.
Comment 3 Stefan Gohmann univentionstaff 2016-10-12 07:48:07 CEST 
For this bug is no separate QA needed.