Univention Bugzilla – Full Text Bug Listing |
Summary: | Postfix: Allow to disable the use of SSLv3 (Poodle-Bug) | ||
---|---|---|---|
Product: | UCS | Reporter: | Lutz Willek <lutz.willek> |
Component: | Assignee: | Daniel Tröder <troeder> | |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | enhancement | ||
Priority: | P5 | CC: | best, gohmann, grandjean, gulden, schwardt, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.0-1-errata | ||
Hardware: | All | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 38468 | ||
Attachments: | Patch allowing to disable the use of SSLv3 via ucr |
Description
Lutz Willek
2015-03-15 19:53:01 CET
Created attachment 6762 [details]
Patch allowing to disable the use of SSLv3 via ucr
Patch allowing to configure the following postfix variables via ucr:
smtpd_tls_mandatory_protocols
smtpd_tls_protocols
smtp_tls_mandatory_protocols
smtp_tls_protocols
The default config will not be altered by using this patch.
apply and test the patch: root@zarafa:~# apt-get install patch ## create a backup root@zarafa:~# cp /etc/postfix/main.cf /etc/postfix/main.cf.orig root@zarafa:~# postconf >postconf.orig root@zarafa:~# mkdir /etc/univention/templates/files/etc/postfix/main.cf.d_orig root@zarafa:~# cp -a /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls \ /etc/univention/templates/files/etc/postfix/main.cf.d_orig/60_tls ## patch and commit root@zarafa:~# patch -p0 < postfix_tls_protocols.patch /etc/univention/templates/files/etc/postfix/main.cf.d/60_tls root@zarafa:~# ucr commit /etc/postfix/main.cf root@zarafa:~# service postfix restart ## diff to original main.cf and postconf after patching root@zarafa:~# diff /etc/postfix/main.cf.orig /etc/postfix/main.cf 104a105,106 > smtpd_tls_mandatory_protocols = !SSLv2 > smtpd_tls_protocols = 120a123,124 > smtp_tls_mandatory_protocols = !SSLv2 > smtp_tls_protocols = !SSLv2 root@zarafa:~# postconf >postconf.diff root@zarafa:~# diff postconf.orig postconf.diff root@zarafa:~# ^^^patch works like expected, default config is not changed ## set new default variables, commit and test: ucr set mail/postfix/smtpd/tls/mandatory_protocols='!SSLv2' ucr set mail/postfix/smtpd/tls/protocols='' ucr set mail/postfix/tls/client/mandatory_protocols='!SSLv2' ucr set mail/postfix/tls/client/protocols='!SSLv2' ucr commit /etc/postfix/main.cf service postfix restart root@zarafa:~# diff /etc/postfix/main.cf.orig /etc/postfix/main.cf 104a105,106 > smtpd_tls_mandatory_protocols = !SSLv2 > smtpd_tls_protocols = 120a123,124 > smtp_tls_mandatory_protocols = !SSLv2 > smtp_tls_protocols = !SSLv2 root@zarafa:~# postconf >postconf.diff root@zarafa:~# diff postconf.orig postconf.diff root@zarafa:~# ^^^patch works like expected, default config is not changed after variables are set ## precheck if SSLv3 is aviable root@zarafa:~# openssl s_client -starttls smtp -crlf -ssl3 -connect 127.0.0.1:25 CONNECTED(00000003) [...snip...] New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 4048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : ECDHE-RSA-AES256-SHA [...snip...] ^^^ssl3 is aviable ## Disable the use of SSLv3 (testing variables) ucr set mail/postfix/smtpd/tls/mandatory_protocols='!SSLv2,!SSLv3' ucr set mail/postfix/smtpd/tls/protocols='!SSLv2,!SSLv3' ucr set mail/postfix/tls/client/mandatory_protocols='!SSLv2,!SSLv3' ucr set mail/postfix/tls/client/protocols='!SSLv2,!SSLv3' ucr commit /etc/postfix/main.cf service postfix restart root@zarafa:~# diff /etc/postfix/main.cf.orig /etc/postfix/main.cf 104a105,106 > smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 > smtpd_tls_protocols = !SSLv2,!SSLv3 120a123,124 > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 > smtp_tls_protocols = !SSLv2,!SSLv3 root@zarafa:~# postconf >postconf.diff root@zarafa:~# diff postconf.orig postconf.diff 593c593 < smtp_tls_mandatory_protocols = !SSLv2 --- > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 597c597 < smtp_tls_protocols = !SSLv2 --- > smtp_tls_protocols = !SSLv2,!SSLv3 689,690c689,690 < smtpd_tls_mandatory_protocols = !SSLv2 < smtpd_tls_protocols = --- > smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 > smtpd_tls_protocols = !SSLv2,!SSLv3 ^^^patch works like expected ## check if patch is working like expected (ie. SSLv3 is disabled now) root@zarafa:~# openssl s_client -starttls smtp -crlf -ssl3 -connect 127.0.0.1:25 CONNECTED(00000003) 140006034015912:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40 140006034015912:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598: ... ^^^ssl3 is not aviable (sslv3 alert handshake failure...) description of the variables mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry-variables: [mail/postfix/smtpd/tls/mandatory_protocols] Description[de]=Liste der TLS-Protokolle, die der Postfix SMTP-Server mit zwingenden TLS-Verschlüsselung verwendet. (Standard ist: !SSLv2) http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols Description[en]=The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. (default: !SSLv2) http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols Type=str Categories=service-mail [mail/postfix/smtpd/tls/protocols] Description[de]=Liste der TLS-Protokolle, die der Postfix SMTP-Server mit opportunistischer TLS-Verschlüsselung verwendet. (Standard ist: nicht gesetzt) http://www.postfix.org/postconf.5.html#smtpd_tls_protocols Description[en]=List of TLS protocols that the Postfix SMTP server will exclude or include with opportunistic TLS encryption. (default: empty) http://www.postfix.org/postconf.5.html#smtpd_tls_protocols Type=str Categories=service-mail [mail/postfix/tls/client/mandatory_protocols] Description[de]=Liste der TLS-Protokolle, die der Postfix SMTP-Client mit zwingenden TLS-Verschlüsselung verwendet. (Standard ist: !SSLv2) http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols Description[en]=List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. (default: !SSLv2) http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols Type=str Categories=service-mail [mail/postfix/tls/client/protocols] Description[de]=Liste der TLS-Protokolle, die der Postfix SMTP-Client mit opportunistischer TLS-Verschlüsselung verwendet. (Standard ist: !SSLv2) http://www.postfix.org/postconf.5.html#smtp_tls_protocols Description[en]=List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption. (default: !SSLv2) http://www.postfix.org/postconf.5.html#smtp_tls_protocols Type=str Categories=service-mail /mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry ... Type: subfile Multifile: etc/postfix/main.cf Subfile: etc/postfix/main.cf.d/60_tls ... Variables: mail/postfix/smtpd/tls/mandatory_protocols Variables: mail/postfix/smtpd/tls/protocols Variables: mail/postfix/tls/client/mandatory_protocols Variables: mail/postfix/tls/client/protocols Just as a note: To disable SSLv2 and SSLv3 with Postfix, run the following commands: ucr set mail/postfix/smtpd/tls/mandatory_protocols='!SSLv2,!SSLv3' ucr set mail/postfix/smtpd/tls/protocols='' ucr set mail/postfix/tls/client/mandatory_protocols='!SSLv2,!SSLv3' ucr set mail/postfix/tls/client/protocols='!SSLv2,!SSLv3' I can not recommend restricting "mail/postfix/smtpd/tls/protocols", ie the Postfix parameter "smtpd_tls_protocols". Doing so increasing the chance not to be able to agree with other mail servers to any suitable protocol or cipher suite. (In this case data is passed without encryption) Please review the patch, and, if possible, apply to UCS 4.0-1-errata. Best regards Lutz Willek @Daniel, can you review and apply the patch please. If everything is fine you can commit it and build for UCS 4.0-1-errata. Thank you for a perfect patch Lutz Willek. Adds UCR variables: * mail/postfix/smtpd/tls/protocols to set smtpd_tls_protocols * mail/postfix/smtpd/tls/mandatory_protocols to set smtpd_tls_mandatory_protocols * mail/postfix/tls/client/protocols to set smtp_tls_protocols * mail/postfix/tls/client/mandatory_protocols to set smtp_tls_mandatory_protocols SSLv3 will be disabled for fresh Postfix installs (except for receiving mails). Commit: r59834 Package: mail/univention-mail-postfix YAML: 2015-04-16-univention-mail-postfix.yaml (In reply to Daniel Tröder from comment #6) > Thank you for a perfect patch Lutz Willek. > > Adds UCR variables: > * mail/postfix/smtpd/tls/protocols to set smtpd_tls_protocols > * mail/postfix/smtpd/tls/mandatory_protocols to set > smtpd_tls_mandatory_protocols > * mail/postfix/tls/client/protocols to set smtp_tls_protocols > * mail/postfix/tls/client/mandatory_protocols to set > smtp_tls_mandatory_protocols > > SSLv3 will be disabled for fresh Postfix installs (except for receiving > mails). > > Commit: r59834 > Package: mail/univention-mail-postfix > YAML: 2015-04-16-univention-mail-postfix.yaml During update, the default values will be kept. Fresh installations will disable SSLv2 and SSLv3 (except for incoming mails in opportunistic TLS mode). Please do not abbreviate the UCR variables within the YAML file; add all 4 variable names → REOPEN Please add <..> arround the hyperlinks <http://...> within UCR variable description. OK: code change OK: functional test (update / fresh install) REOPEN: UCR variable description REOPEN: YAML fixed UCR variable description in r60508 fixed YAML in r60512 (In reply to Daniel Tröder from comment #8) > fixed UCR variable description in r60508 OK > fixed YAML in r60512 OK REOPEN: please fix the bug number in debian/changelog. Done in 60519. (In reply to Daniel Tröder from comment #10) > Done in 60519. OK |