Hardening TLS ciphers (#492)

* Hardening Dovecot TLS ciphers
* Mitigate Logjam vulnerability on Dovecot
* Mitigate Logjam vulnerability on Postfix
* Add Nmap tests of PCI compliance for Postfix and Dovecot
* Increase sleep duration on Makefile steps to avoid races

Dockerfile

@@ -103,6 +103,7 @@ RUN sed -i 's/START_DAEMON=no/START_DAEMON=yes/g' /etc/default/fetchmail
 # Configures Postfix
 COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
 RUN echo "" > /etc/aliases
+RUN openssl dhparam -out /etc/postfix/dhparams.pem 2048
 
 # Configuring Logs
 RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \

Makefile

@@ -118,7 +118,7 @@ run:
 		-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
 		-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
 		-h mail.my-domain.com -t $(NAME)
-	sleep 15
+	sleep 30
 
 fixtures:
 	cp config/postfix-accounts.cf config/postfix-accounts.cf.bak
@@ -142,7 +142,7 @@ fixtures:
 	# postfix virtual transport lmtp
 	docker exec mail_lmtp_ip /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user.txt"
 	# Wait for mails to be analyzed
-	sleep 10
+	sleep 20
 
 tests:
 	# Start tests

target/dovecot/10-ssl.conf

@@ -21,7 +21,7 @@ ssl_key = </etc/dovecot/private/dovecot.pem
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca = 
+#ssl_ca =
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
@@ -43,13 +43,13 @@ ssl_key = </etc/dovecot/private/dovecot.pem
 #ssl_cert_username_field = commonName
 
 # DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+ssl_dh_parameters_length = 2048
 
 # SSL protocols to use
 ssl_protocols = !SSLv2 !SSLv3
 
 # SSL ciphers to use
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
 
 # Prefer the server's order of ciphers over client's.
 ssl_prefer_server_ciphers = yes

target/postfix/main.cf

@@ -6,11 +6,11 @@ append_dot_mydomain = no
 readme_directory = no
 
 # Basic configuration
-# myhostname = 
+# myhostname =
 alias_maps = texthash:/etc/aliases
 alias_database = texthash:/etc/aliases
-mydestination = 
+mydestination =
-relayhost = 
+relayhost =
 mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64
 mailbox_size_limit = 0
 recipient_delimiter = +
@@ -33,6 +33,7 @@ smtp_tls_protocols=!SSLv2,!SSLv3
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
 smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
+smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtp_tls_CApath = /etc/ssl/certs
 

test/tests.bats

@@ -919,8 +919,8 @@ load 'test_helper/bats-assert/load'
 # Postfix VIRTUAL_TRANSPORT
 #
 @test "checking postfix-lmtp: virtual_transport config is set" {
-    run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
+  run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
-    assert_success
+  assert_success
 }
 
 @test "checking postfix-lmtp: delivers mail to existing account" {
@@ -928,3 +928,39 @@ load 'test_helper/bats-assert/load'
   assert_success
   assert_output 1
 }
+
+#
+# PCI compliance
+#
+
+# dovecot
+@test "checking dovecot: only A grade TLS ciphers are used" {
+  run docker run --rm -i --link mail:dovecot \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
+  assert_success
+}
+
+@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
+  run docker run --rm -i --link mail:dovecot \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
+  assert_success
+  assert_output 0
+}
+
+# postfix
+@test "checking postfix: only A grade TLS ciphers are used" {
+  run docker run --rm -i --link mail:postfix \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
+  assert_success
+}
+
+@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" {
+  run docker run --rm -i --link mail:postfix \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
+  assert_success
+  assert_output 0
+}