Univention Bugzilla – Full Text Bug Listing |
Summary: | Postfix: Prohibiting RC4 Cipher Suites as prescribed in RFC7465 | ||
---|---|---|---|
Product: | UCS | Reporter: | Lutz Willek <lutz.willek> |
Component: | Assignee: | Daniel Tröder <troeder> | |
Status: | CLOSED FIXED | QA Contact: | Sönke Schwardt-Krummrich <schwardt> |
Severity: | normal | ||
Priority: | P4 | CC: | best, gohmann, grandjean, gulden, schwardt, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.0-1-errata | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://tools.ietf.org/rfc/rfc7465.txt | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Attachments: | Patch prohibiting the use of RC4 cipher suites in postfix |
Description
Lutz Willek
2015-03-15 16:05:34 CET
Created attachment 6761 [details] Patch prohibiting the use of RC4 cipher suites in postfix RC4 is cryptographically broken and must no longer be used. Such ciphers would not be negiotiated due to MUAs preference anyway. If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. In order to maintain the security guarantees of the TLS protocol, IETF RFC-7465 explicitely requires this behaviour, which will be guaranteed by applying this patch. Postfix also supports configurations with no server certificates that use only the anonymous ciphers. By default anonymous ciphers (not supported by typical SMTP clients) are enabled in Postfix. (http://www.postfix.org/TLS_README.html) This behaviour will be disabled by applying this patch. This patch will disable the following cipher suites on the server side: AECDH-RC4-SHA ADH-RC4-MD5 ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 EXP-ADH-RC4-MD5 EXP-RC4-MD5 Please review. If possible, please apply this patch to UCS 4.0-1-errata. Best Regards Lutz Willek apply and test the patch: root@zarafa:~# apt-get install patch ## create a backup root@zarafa:~# cp /etc/postfix/main.cf /etc/postfix/main.cf.orig root@zarafa:~# postconf >postconf.orig root@zarafa:~# mkdir /etc/univention/templates/files/etc/postfix/main.cf.d_orig root@zarafa:~# cp -a /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls \ /etc/univention/templates/files/etc/postfix/main.cf.d_orig/60_tls ## set new default variables root@zarafa:~# ucr set mail/postfix/smtpd/tls/exclude_ciphers="RC4, aNULL" root@zarafa:~# ucr set mail/postfix/tls/client/exclude_ciphers="RC4, aNULL" ## patch and commit root@zarafa:~# patch -p0 < postfix_tls_exclude_ciphers.patch /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls root@zarafa:~# ucr commit /etc/postfix/main.cf root@zarafa:~# service postfix restart ## diff to original main.cf and postconf after patching root@zarafa:~# diff /etc/postfix/main.cf.orig /etc/postfix/main.cf 104a105 > smtp_tls_exclude_ciphers = RC4, aNULL 120a122 > smtp_tls_exclude_ciphers = RC4, aNULL root@zarafa:~# postconf >postconf.diff root@zarafa:~# diff postconf.orig postconf.diff 586c586 < smtp_tls_exclude_ciphers = --- > smtp_tls_exclude_ciphers = RC4, aNULL 683c683 < smtpd_tls_exclude_ciphers = --- > smtpd_tls_exclude_ciphers = RC4, aNULL root@zarafa:~# ^^^patch works like expected ## allow the use of RC4 (in case of unwanted side effects) root@zarafa:~# ucr set mail/postfix/smtpd/tls/exclude_ciphers="" root@zarafa:~# ucr set mail/postfix/tls/client/exclude_ciphers="" root@zarafa:~# ucr commit /etc/postfix/main.cf root@zarafa:~# service postfix restart ## diff to original main.cf and postconf after allowing the use of RC4 root@zarafa:~# diff /etc/postfix/main.cf.orig /etc/postfix/main.cf 104a105 > smtpd_tls_exclude_ciphers = 120a122 > smtp_tls_exclude_ciphers = root@zarafa:~# postconf >postconf.diff root@zarafa:~# diff postconf.orig postconf.diff root@zarafa:~# ^^^patch works like expected description of the variables mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry-variables [mail/postfix/smtpd/tls/exclude_ciphers] Description[de]=Liste der Verschlüsselungstypen, die aus der SMTP-Server Cipher Liste auf allen TLS Sicherheitsstufen ausgenommen sind, siehe http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers. Standard ist "RC4, aNULL" Description[en]=List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels as described in http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers. Defaults to "RC4, aNULL" Type=str Categories=service-mail [mail/postfix/tls/client/exclude_ciphers] Description[de]=Liste der Verschlüsselungstypen, die aus der SMTP-Client Cipher Liste auf allen TLS Sicherheitsstufen ausgenommen sind, siehe http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers. Standard ist "RC4, aNULL" Description[en]=List of ciphers or cipher types to exclude from the Postfix SMTP client cipher list at all TLS security levels as described in http://www.postfix.org/postconf.5.html#smtp_tls_exclude_ciphers. Defaults to "RC4, aNULL" Type=str Categories=service-mail /mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry ... Type: subfile Multifile: etc/postfix/main.cf Subfile: etc/postfix/main.cf.d/60_tls ... Variables: mail/postfix/tls/client/exclude_ciphers Variables: mail/postfix/smtpd/tls/exclude_ciphers @Daniel, can you review and apply the patch please. If everything is fine you can commit it and build for UCS 4.0-1-errata. Thank you for the patch - it has been applied. RC4 Cipher Suites will be excluded from all TLS security levels. Adds UCR variables mail/postfix/tls/client/exclude_ciphers and mail/postfix/smtpd/tls/exclude_ciphers and sets them by default to "RC4, aNULL". Commit: r59867 Package: mail/univention-mail-postfix YAML: 2015-04-16-univention-mail-postfix.yaml OK: code change OK: short functional test OK: UCR variables OK: YAML |