Proxmox 5.2 - disable TLS 1.0?

cphillips

New Member
Jul 18, 2019
6
0
1
42
All.

I have installed Promox Mail Gateway 5.2. As part of a business solution, this server needs to pass a PCI-DSS scan every 4 months.

One of the things the scan checks for is the disablement of TLS 1.0. I've run a scan against the Proxmox server and it is coming back as TLS 1.0 being enabled.

Can someone advise how I disable this please? I have done a search and couldn't find a definitive answer.

Thanks in advance.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
13,647
420
83
Please provide more details about what you test and what connection you talk about, post the full detail of this test.
 

cphillips

New Member
Jul 18, 2019
6
0
1
42
Tom,

Ok. The company has an externally facing mail server (Proxmox Mail Gateway). This has port 25 open to the internet to allow emails to be received. When emails are coming in to Proxmox they are not allowed to use the TLS 1.0 protocol in Postfix to communicate as this is deemed insecure. I need it to use TLS 1.2/1.3

https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php as an example gives more detail.

So to summarise, I need to disable TLS 1.0 on Postfix. I did add some lines to main.cf in /etc/postfix but after a reboot they have been removed.

A scan by Security Metrics is flagging this as a vulnerability.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
13,647
420
83
What do you get by running this test on your Proxmox Mail Gateway?

> openssl s_client -debug -starttls smtp -crlf -connect localhost:25
 

cphillips

New Member
Jul 18, 2019
6
0
1
42
What do you get by running this test on your Proxmox Mail Gateway?

> openssl s_client -debug -starttls smtp -crlf -connect localhost:25
Tom,

This produced loads of output (screens and screens). Was there any particular part you were interested in?
 

cphillips

New Member
Jul 18, 2019
6
0
1
42
Thanks Tom.

I need to add the following lines to my main.cf Postfix file:

Code:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1
Code:
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
                           DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
                           RSA+AES, eNULL
As a side note, you also need to force some form of encryption with the following two lines:

Code:
smtpd_tls_security_level = encrypt
smtp_tls_security_level  = encrypt
I assume I add those to the main.cf file in /etc/pmg/templates/. Though I noticed I only have /etc/pmg - no templates folder in there?
 

heutger

Active Member
Apr 25, 2018
644
159
43
Fulda, Hessen, Germany
www.heutger.net
Read the manual about the template system, your settings otherwise will get lost with next updates. The security level you can set via GUI and it may not be the best idea to set to encrypt (force encryption), you may use may. Disabling TLSv1 may be right from security point perspective, but some companies still deliver mails via TLSv1. If you disable TLSv1, this messages will be sent in clear text (with second connection), so decision is between weak encryption or no encryption at all. Your cipher suite set is really weak, it should be hardened. You also should send your preferred order instead of let the client choose. You may find additional help on my Advancing Thread.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!