Univention Bugzilla – Bug 35923
Enable perfect forward secrecy
Last modified: 2015-03-27 11:19:45 CET
We should enable Perfect Forward Secrecy: * Execute the following commands during installation of univention-mail-postfix: $ openssl gendh -out /etc/postfix/dh_512.pem -2 512 $ openssl gendh -out /etc/postfix/dh_1024.pem -2 1024 $ openssl gendh -out /etc/postfix/dh_2048.pem -2 2048 And the new config options: smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem This enables EDH in postfix. * smtpd_tls_eecdh_grade = strong Currently the builtin default value "none" is used which disables ciphers based on EECDH key exchange. * tls_preempt_cipherlist = yes Is currently ignored in UCS 3.x (postfix 2.7) but used in UCS 4. It should also be set. * smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 Raise TLS loglevel from 0 to 1. Please recheck also for missing options: http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
Added the following ucr variables: /etc/postfix/main.cf: * mail/postfix/smtpd/tls/dh1024/param/file (/etc/postfix/dh_2048.pem) * mail/postfix/smtpd/tls/dh512/param/file (/etc/postfix/dh_512.pem) * mail/postfix/smtpd/tls/eecdh/grade (strong * mail/postfix/tls/preempt/cipherlist (yes) * mail/postfix/smtpd/tls/loglevel (1) * mail/postfix/smtp/tls/loglevel (1) /etc/cron.d/univention-mail-postfix: * mail/postfix/cron/recreate/dh/parameter (0 4 * * *) During installation (and this update) DH paramter files are created (/etc/postfix/dh_*.pem). A cron job /etc/cron.d/univention-mail-postfix has been added to daily recreate the DH paramter files/reload postfix. To verify that Perfect Forward Secrecy is used, the openssl s_client command -> openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 should return a Cipher starting with DHE (UCS 3.2) or ECDHE (UCS 4.0) YAML: 2014-09-22-univention-mail-postfix.yaml Merged to ucs-4.0-0
The UCS-4 installation stalls for a long time while the key material is created. It also prints a lot of '.' lines (5856) to stdout, which get logged to /var/log/syslog during installation: # grep 'in-target: \. *$' /var/log/syslog | sed -ne '1p;$p' Oct 2 08:41:57 in-target: . Oct 2 08:45:25 in-target: . Running the key generation commands in a cron job also depletes the kernel random pool for /dev/random (which MUST be used for key generation). Especially virtual machines are short on sources for true random data, which might lead to additional stalls. Newer QEMU versions provide a VirtIO device for random, but by that the problem is only moved into the host server; an EGD can be installed there. # cat /proc/sys/kernel/random/entropy_avail 870
(In reply to Philipp Hahn from comment #2) > The UCS-4 installation stalls for a long time while the key material is > created. It also prints a lot of '.' lines (5856) to stdout, which get > logged to /var/log/syslog during installation: > # grep 'in-target: \. *$' /var/log/syslog | sed -ne '1p;$p' > Oct 2 08:41:57 in-target: . > Oct 2 08:45:25 in-target: . openssl gendh output is redirected to dev/null during installation and the default for the recreation cron interval is now 0 4 * * 0 (weekly) > > Running the key generation commands in a cron job also depletes the kernel > random pool for /dev/random (which MUST be used for key generation). > Especially virtual machines are short on sources for true random data, which > might lead to additional stalls. Newer QEMU versions provide a VirtIO device > for random, but by that the problem is only moved into the host server; an > EGD can be installed there. > > # cat /proc/sys/kernel/random/entropy_avail > 870 All OpenSSL versions try to use /dev/urandom by default,
As discussed, please - Remove the generation of the 1024bit file, as it is not used. This will reduce the overall time required for key generation - Set the umask of the generated files to 0644. - mail/postfix/smtpd/tls/loglevel and mail/postfix/smtp/tls/loglevel should be initialized with 0 - tls_preempt_cipherlist is only supported in postfix 2.8 and later (UCS 3.2 uses 2.7); smtpd_tls_eecdh_grade is supported in postfix 2.6. At least move the comment in the template
(In reply to Erik Damrose from comment #4) > As discussed, please > - Remove the generation of the 1024bit file, as it is not used. This will > reduce the overall time required for key generation > - Set the umask of the generated files to 0644. > - mail/postfix/smtpd/tls/loglevel and mail/postfix/smtp/tls/loglevel should > be initialized with 0 > - tls_preempt_cipherlist is only supported in postfix 2.8 and later (UCS 3.2 > uses 2.7); smtpd_tls_eecdh_grade is supported in postfix 2.6. At least move > the comment in the template OK removed mail/postfix/smtpd/tls/eecdh/grade and mail/postfix/tls/preempt/cipherlist from 3.2-3 as they are not support by postfix/openssl. Added changelog entry for 4.0.
OK: openssl s_client -starttls smtp -crlf -connect localhost:25 UCS 3.2: Cipher is DHE-RSA-AES256-SHA UCS 4.0: Cipher is ECDHE-RSA-AES256-GCM-SHA384 (In reply to Felix Botner from comment #3) > All OpenSSL versions try to use /dev/urandom by default, OK: https://www.openssl.org/support/faq.html#USER1 -> reduced key generation time by skipping unused 1024bit key OK: Removed UCRV options from UCS 3.2 that are not available OK: Changelog OK: r55485 Only release for 3.2-3 errata Verified
http://errata.univention.de/ucs/3.2/236.html