use ffdhe4096 for DHE params

use by default ffdhe4096 for DHE params 


use by default ffdhe4096 for DHE params
This commit is contained in:
youtous 2020-04-22 11:06:03 +02:00
parent f60de0c66e
commit 47fac2706f
No known key found for this signature in database
GPG key ID: 592173AE8CD254A5
9 changed files with 103 additions and 51 deletions

View file

@ -163,6 +163,9 @@ RUN chmod 755 /etc/init.d/postgrey && \
# Copy PostSRSd Config
COPY target/postsrsd/postsrsd /etc/default/postsrsd
# Copy shared ffdhe params
COPY target/shared/ffdhe4096.pem /etc/postfix/shared/ffdhe4096.pem
# Enables Amavis
COPY target/amavis/conf.d/* /etc/amavis/conf.d/
RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \

View file

@ -43,9 +43,8 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
# This parameter will be optional in dovecot 2.3 https://wiki2.dovecot.org/Upgrading/2.3#dhparams
# Until non-ECC based DH algorithms are dropped, please use recommended pre-defined DHE Groups https://github.com/internetstandards/dhe_groups
ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,

View file

@ -1364,15 +1364,16 @@ function _setup_postfix_dhparam() {
if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new shared dhparams (postfix)"
mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048
notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
rm -f /etc/postfix/dhparams.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
else
notify 'inf' "Use postfix dhparams that was generated previously"
fi
notify 'warn' "Using self-generated dhparams is considered as insecure."
notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
# Copy from the state directory to the working location
rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
# Copy from the state directory to the working location
rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
fi
else
if [ ! -f /etc/postfix/dhparams.pem ]; then
if [ -f /etc/dovecot/dh.pem ]; then
@ -1380,13 +1381,17 @@ function _setup_postfix_dhparam() {
cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
notify 'inf' "Copy pre-generated dhparams to postfix"
notify 'warn' "Using self-generated dhparams is considered as insecure."
notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
else
notify 'inf' "Generate new dhparams for postfix"
openssl dhparam -out /etc/postfix/dhparams.pem 2048
notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
fi
else
notify 'inf' "Use existing postfix dhparams"
notify 'warn' "Using self-generated dhparams is considered as insecure."
notify 'warn' "Unless you known what you are doing, please remove /etc/postfix/dhparams.pem."
fi
fi
}
@ -1396,15 +1401,16 @@ function _setup_dovecot_dhparam() {
if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new shared dhparams (dovecot)"
mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048
notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
rm -f /etc/dovecot/dh.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
else
notify 'inf' "Use dovecot dhparams that was generated previously"
fi
notify 'warn' "Using self-generated dhparams is considered as insecure."
notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
# Copy from the state directory to the working location
rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
# Copy from the state directory to the working location
rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
fi
else
if [ ! -f /etc/dovecot/dh.pem ]; then
if [ -f /etc/postfix/dhparams.pem ]; then
@ -1412,13 +1418,17 @@ function _setup_dovecot_dhparam() {
cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
notify 'inf' "Copy pre-generated dhparams to dovecot"
notify 'warn' "Using self-generated dhparams is considered as insecure."
notify 'warn' "Unless you known what you are doing, please remove /tmp/docker-mailserver/dhparams.pem."
cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
else
notify 'inf' "Generate new dhparams for dovecot"
openssl dhparam -out /etc/dovecot/dh.pem 2048
notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
fi
else
notify 'inf' "Use existing dovecot dhparams"
notify 'warn' "Using self-generated dhparams is considered as insecure."
notify 'warn' "Unless you known what you are doing, please remove /etc/dovecot/dh.pem."
fi
fi
}

View file

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
-----END DH PARAMETERS-----

View file

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
-----END DH PARAMETERS-----

View file

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
-----END DH PARAMETERS-----

View file

@ -0,0 +1,49 @@
load 'test_helper/common'
function setup() {
run_setup_file_if_necessary
}
function teardown() {
run_teardown_file_if_necessary
}
function setup_file() {
docker run -d --name mail_manual_dhparams \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
-e DMS_DEBUG=0 \
-e ONE_DIR=1 \
-h mail.my-domain.com -t ${NAME}
wait_for_finished_setup_in_container mail_manual_dhparams
}
function teardown_file() {
skip
docker rm -f mail_manual_dhparams
}
@test "first" {
skip 'this test must come first to reliably identify when to run setup_file'
}
@test "checking dhparams: check manual dhparams is used" {
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
run echo "$test_checksum"
refute_output '' # checksum must not be empty
docker_dovecot_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum" "$test_checksum"
assert_equal "$docker_postfix_checksum" "$test_checksum"
}
@test "checking dhparams: check warning output when using manual dhparams" {
run sh -c "docker logs mail_manual_dhparams | grep 'Using self-generated dhparams is considered as insecure'"
assert_success
}
@test "last" {
skip 'this test is only there to reliably mark the end for the teardown_file'
}

View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

View file

@ -669,12 +669,19 @@ EOF
@test "checking ssl: checking dhe params are sufficient" {
# reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
skip 'todo : check checksum same as mozilla'
# todo :
# - test case mail uses ffdhe by default
# - test case mail uses custom dhe ==> SET WARNING IN LOGS
# todo : remove dhe generation
# check ffdhe params are inchanged
repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
assert_equal "$repo_checksum" "$mozilla_checksum"
run echo "$repo_checksum"
refute_output '' # checksum must not be empty
# by default, ffdhe4096 should be used
docker_dovecot_checksum=$(docker exec mail sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
docker_postfix_checksum=$(docker exec mail sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "$docker_dovecot_checksum" "$repo_checksum"
assert_equal "$docker_postfix_checksum" "$repo_checksum"
}
#