From 47fac2706f4228c135bdc60cd1d20752f7032adc Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Wed, 22 Apr 2020 11:06:03 +0200
Subject: [PATCH] use ffdhe4096 for DHE params

use by default ffdhe4096 for DHE params


use by default ffdhe4096 for DHE params
---
 Dockerfile                           |  3 ++
 target/dovecot/10-ssl.conf           |  5 ++-
 target/start-mailserver.sh           | 48 ++++++++++++++++-----------
 test/config/dhparams.pem             |  8 -----
 test/config/dovecot-lmtp/dh.pem      |  8 -----
 test/config/relay-hosts/dhparams.pem |  8 -----
 test/mail_manual_dhparams.bats       | 49 ++++++++++++++++++++++++++++
 test/test-files/ssl/ffdhe2048.pem    |  8 +++++
 test/tests.bats                      | 17 +++++++---
 9 files changed, 103 insertions(+), 51 deletions(-)
 delete mode 100644 test/config/dhparams.pem
 delete mode 100644 test/config/dovecot-lmtp/dh.pem
 delete mode 100644 test/config/relay-hosts/dhparams.pem
 create mode 100644 test/mail_manual_dhparams.bats
 create mode 100644 test/test-files/ssl/ffdhe2048.pem

diff --git a/Dockerfile b/Dockerfile
index af6c4151..bbb90ea3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -163,6 +163,9 @@ RUN chmod 755 /etc/init.d/postgrey && \
 # Copy PostSRSd Config
 COPY target/postsrsd/postsrsd /etc/default/postsrsd
 
+# Copy shared ffdhe params
+COPY target/shared/ffdhe4096.pem /etc/postfix/shared/ffdhe4096.pem
+
 # Enables Amavis
 COPY target/amavis/conf.d/* /etc/amavis/conf.d/
 RUN sed -i -r 's/#(@|   \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \
diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf
index 25213a90..7b4c4ec7 100644
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@@ -43,9 +43,8 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
 #ssl_cert_username_field = commonName
 
 # SSL DH parameters
-# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
-# Or migrate from old ssl-parameters.dat file with the command dovecot
-# gives on startup when ssl_dh is unset.
+# This parameter will be optional in dovecot 2.3 https://wiki2.dovecot.org/Upgrading/2.3#dhparams
+# Until non-ECC based DH algorithms are dropped, please use recommended pre-defined DHE Groups https://github.com/internetstandards/dhe_groups
 ssl_dh = </etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index 913ddc6f..b0cb77e4 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -1364,15 +1364,16 @@ function _setup_postfix_dhparam() {
 	if [ "$ONE_DIR" = 1 ];then
 		DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
 		if [ ! -f $DHPARAMS_FILE ]; then
-			notify 'inf' "Generate new shared dhparams (postfix)"
-			mkdir -p $(dirname "$DHPARAMS_FILE")
-			openssl dhparam -out $DHPARAMS_FILE 2048
+			notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
+      rm -f /etc/postfix/dhparams.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
 		else
 			notify 'inf' "Use postfix dhparams that was generated previously"
-		fi
+      notify 'warn' "Using self-generated dhparams is considered as insecure."
+      notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
 
-		# Copy from the state directory to the working location
-		rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
+      # Copy from the state directory to the working location
+      rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
+		fi
 	else
                 if [ ! -f /etc/postfix/dhparams.pem ]; then
                         if [ -f /etc/dovecot/dh.pem ]; then
@@ -1380,13 +1381,17 @@ function _setup_postfix_dhparam() {
                                 cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
                         elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
                                 notify 'inf' "Copy pre-generated dhparams to postfix"
+                                notify 'warn' "Using self-generated dhparams is considered as insecure."
+                                notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
                                 cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
                         else
-                                notify 'inf' "Generate new dhparams for postfix"
-                                openssl dhparam -out /etc/postfix/dhparams.pem 2048
+			                          notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
+                                cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
                         fi
                 else
                         notify 'inf' "Use existing postfix dhparams"
+                        notify 'warn' "Using self-generated dhparams is considered as insecure."
+                        notify 'warn' "Unless you known what you are doing, please remove /etc/postfix/dhparams.pem."
                 fi
 	fi
 }
@@ -1396,15 +1401,16 @@ function _setup_dovecot_dhparam() {
         if [ "$ONE_DIR" = 1 ];then
                 DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
                 if [ ! -f $DHPARAMS_FILE ]; then
-                        notify 'inf' "Generate new shared dhparams (dovecot)"
-                        mkdir -p $(dirname "$DHPARAMS_FILE")
-                        openssl dhparam -out $DHPARAMS_FILE 2048
+                        notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
+                        rm -f /etc/dovecot/dh.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
                 else
                         notify 'inf' "Use dovecot dhparams that was generated previously"
-                fi
+                        notify 'warn' "Using self-generated dhparams is considered as insecure."
+                        notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
 
-                # Copy from the state directory to the working location
-                rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
+                        # Copy from the state directory to the working location
+                        rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
+                fi
         else
                 if [ ! -f /etc/dovecot/dh.pem ]; then
                         if [ -f /etc/postfix/dhparams.pem ]; then
@@ -1412,13 +1418,17 @@ function _setup_dovecot_dhparam() {
                                 cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
                         elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
                                 notify 'inf' "Copy pre-generated dhparams to dovecot"
+                                notify 'warn' "Using self-generated dhparams is considered as insecure."
+                                notify 'warn' "Unless you known what you are doing, please remove /tmp/docker-mailserver/dhparams.pem."
                                 cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
                         else
-                                notify 'inf' "Generate new dhparams for dovecot"
-                                openssl dhparam -out /etc/dovecot/dh.pem 2048
+			                          notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
+                                cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
                         fi
                 else
                         notify 'inf' "Use existing dovecot dhparams"
+                        notify 'warn' "Using self-generated dhparams is considered as insecure."
+                        notify 'warn' "Unless you known what you are doing, please remove /etc/dovecot/dh.pem."
                 fi
         fi
 }
@@ -1461,8 +1471,8 @@ function _setup_security_stack() {
         fi
 
 		test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
-		
-		
+
+
 		if [ "$SPAMASSASSIN_SPAM_TO_INBOX" = "1" ]; then
 				notify 'inf' "Configure Spamassassin/Amavis to put SPAM inbox"
 				bannedbouncecheck=`egrep "final_banned_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults`
@@ -1470,7 +1480,7 @@ function _setup_security_stack() {
 						  then
 									   sed -i "/final_banned_destiny/ s|D_BOUNCE|D_REJECT|" /etc/amavis/conf.d/20-debian_defaults
 							fi
-							
+
 				finalbouncecheck=`egrep "final_spam_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults`
 				  if [ -n "$finalbouncecheck" ] ;
 						  then
diff --git a/test/config/dhparams.pem b/test/config/dhparams.pem
deleted file mode 100644
index 4ebe8dd2..00000000
--- a/test/config/dhparams.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
-8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
-wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
-f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
-4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
-Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
------END DH PARAMETERS-----
diff --git a/test/config/dovecot-lmtp/dh.pem b/test/config/dovecot-lmtp/dh.pem
deleted file mode 100644
index 4ebe8dd2..00000000
--- a/test/config/dovecot-lmtp/dh.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
-8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
-wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
-f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
-4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
-Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
------END DH PARAMETERS-----
diff --git a/test/config/relay-hosts/dhparams.pem b/test/config/relay-hosts/dhparams.pem
deleted file mode 100644
index 4ebe8dd2..00000000
--- a/test/config/relay-hosts/dhparams.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
-8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
-wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
-f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
-4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
-Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
------END DH PARAMETERS-----
diff --git a/test/mail_manual_dhparams.bats b/test/mail_manual_dhparams.bats
new file mode 100644
index 00000000..bd068f98
--- /dev/null
+++ b/test/mail_manual_dhparams.bats
@@ -0,0 +1,49 @@
+load 'test_helper/common'
+
+function setup() {
+    run_setup_file_if_necessary
+}
+
+function teardown() {
+    run_teardown_file_if_necessary
+}
+
+function setup_file() {
+    docker run -d --name mail_manual_dhparams \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+		-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
+		-e DMS_DEBUG=0 \
+		-e ONE_DIR=1 \
+		-h mail.my-domain.com -t ${NAME}
+    wait_for_finished_setup_in_container mail_manual_dhparams
+}
+
+function teardown_file() {
+  skip
+    docker rm -f mail_manual_dhparams
+}
+
+@test "first" {
+  skip 'this test must come first to reliably identify when to run setup_file'
+}
+
+@test "checking dhparams: check manual dhparams is used" {
+  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
+  run echo "$test_checksum"
+  refute_output '' # checksum must not be empty
+
+  docker_dovecot_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum" "$test_checksum"
+  assert_equal "$docker_postfix_checksum" "$test_checksum"
+}
+
+@test "checking dhparams: check warning output when using manual dhparams" {
+  run sh -c "docker logs mail_manual_dhparams | grep 'Using self-generated dhparams is considered as insecure'"
+  assert_success
+}
+
+@test "last" {
+  skip 'this test is only there to reliably mark the end for the teardown_file'
+}
diff --git a/test/test-files/ssl/ffdhe2048.pem b/test/test-files/ssl/ffdhe2048.pem
new file mode 100644
index 00000000..9b182b72
--- /dev/null
+++ b/test/test-files/ssl/ffdhe2048.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/test/tests.bats b/test/tests.bats
index d48fb168..3e57c69d 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -669,12 +669,19 @@ EOF
 
 @test "checking ssl: checking dhe params are sufficient" {
   # reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
-  skip 'todo : check checksum same as mozilla'
-  # todo :
-  # - test case mail uses ffdhe by default
-  # - test case mail uses custom dhe ==> SET WARNING IN LOGS
 
-  # todo : remove dhe generation
+  # check ffdhe params are inchanged
+  repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
+  mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
+  assert_equal "$repo_checksum" "$mozilla_checksum"
+  run echo "$repo_checksum"
+  refute_output '' # checksum must not be empty
+
+  # by default, ffdhe4096 should be used
+  docker_dovecot_checksum=$(docker exec mail sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum=$(docker exec mail sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum" "$repo_checksum"
+  assert_equal "$docker_postfix_checksum" "$repo_checksum"
 }
 
 #