Hardening TLS ciphers (#492)

* Hardening Dovecot TLS ciphers
* Mitigate Logjam vulnerability on Dovecot
* Mitigate Logjam vulnerability on Postfix
* Add Nmap tests of PCI compliance for Postfix and Dovecot
* Increase sleep duration on Makefile steps to avoid races
This commit is contained in:
Kai Ren 2017-01-25 15:10:40 +02:00 committed by Thomas VIAL
parent fed48e646d
commit d40ae81d09
5 changed files with 48 additions and 10 deletions

View file

@ -103,6 +103,7 @@ RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail
# Configures Postfix # Configures Postfix
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
RUN echo "" > /etc/aliases RUN echo "" > /etc/aliases
RUN openssl dhparam -out /etc/postfix/dhparams.pem 2048
# Configuring Logs # Configuring Logs
RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \

View file

@ -118,7 +118,7 @@ run:
-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \ -e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \ -e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
sleep 15 sleep 30
fixtures: fixtures:
cp config/postfix-accounts.cf config/postfix-accounts.cf.bak cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
@ -142,7 +142,7 @@ fixtures:
# postfix virtual transport lmtp # postfix virtual transport lmtp
docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt" docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
# Wait for mails to be analyzed # Wait for mails to be analyzed
sleep 10 sleep 20
tests: tests:
# Start tests # Start tests

View file

@ -43,13 +43,13 @@ ssl_key = </etc/dovecot/private/dovecot.pem
#ssl_cert_username_field = commonName #ssl_cert_username_field = commonName
# DH parameters length to use. # DH parameters length to use.
#ssl_dh_parameters_length = 1024 ssl_dh_parameters_length = 2048
# SSL protocols to use # SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv2 !SSLv3
# SSL ciphers to use # SSL ciphers to use
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
# Prefer the server's order of ciphers over client's. # Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = yes

View file

@ -33,6 +33,7 @@ smtp_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = /etc/ssl/certs smtp_tls_CApath = /etc/ssl/certs

View file

@ -928,3 +928,39 @@ load 'test_helper/bats-assert/load'
assert_success assert_success
assert_output 1 assert_output 1
} }
#
# PCI compliance
#
# dovecot
@test "checking dovecot: only A grade TLS ciphers are used" {
run docker run --rm -i --link mail:dovecot \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
assert_success
}
@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
run docker run --rm -i --link mail:dovecot \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
assert_success
assert_output 0
}
# postfix
@test "checking postfix: only A grade TLS ciphers are used" {
run docker run --rm -i --link mail:postfix \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
assert_success
}
@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" {
run docker run --rm -i --link mail:postfix \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
assert_success
assert_output 0
}