Proxmox 5.2 - disable TLS 1.0?

[cphillips]

All.

I have installed Promox Mail Gateway 5.2. As part of a business solution, this server needs to pass a PCI-DSS scan every 4 months.

One of the things the scan checks for is the disablement of TLS 1.0. I've run a scan against the Proxmox server and it is coming back as TLS 1.0 being enabled.

Can someone advise how I disable this please? I have done a search and couldn't find a definitive answer.

Thanks in advance.

 

[tom]

Maybe this is what you are looking for?

https://pmg.proxmox.com/pmg-docs/pm...mgproxy_proxmox_mail_gateway_api_proxy_daemon

 

[cphillips]

Tom,

I don't have /etc/default/pmgproxy on my system to modify?!

 

[tom]

Tom,

I don't have /etc/default/pmgproxy on my system to modify?!

=> create it.

 

[cphillips]

=> create it.

Thanks Tom, I've created that file with the cipher list and rebooted. Re-running the scan against the server still shows it as having TLS 1.0 as a connection option.

 

[tom]

Please provide more details about what you test and what connection you talk about, post the full detail of this test.

 

[cphillips]

Tom,

Ok. The company has an externally facing mail server (Proxmox Mail Gateway). This has port 25 open to the internet to allow emails to be received. When emails are coming in to Proxmox they are not allowed to use the TLS 1.0 protocol in Postfix to communicate as this is deemed insecure. I need it to use TLS 1.2/1.3

https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php as an example gives more detail.

So to summarise, I need to disable TLS 1.0 on Postfix. I did add some lines to main.cf in /etc/postfix but after a reboot they have been removed.

A scan by Security Metrics is flagging this as a vulnerability.

 

[tom]

So to summarise, I need to disable TLS 1.0 on Postfix. I did add some lines to main.cf in /etc/postfix but after a reboot they have been removed

Check https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_service_configuration_templates

 

[tom]

What do you get by running this test on your Proxmox Mail Gateway?

> openssl s_client -debug -starttls smtp -crlf -connect localhost:25

 

[cphillips]

What do you get by running this test on your Proxmox Mail Gateway?

> openssl s_client -debug -starttls smtp -crlf -connect localhost:25

Tom,

This produced loads of output (screens and screens). Was there any particular part you were interested in?

 

[cphillips]

Check https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_service_configuration_templates

Thanks Tom.

I need to add the following lines to my main.cf Postfix file:

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1

smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
                           DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
                           RSA+AES, eNULL

As a side note, you also need to force some form of encryption with the following two lines:

smtpd_tls_security_level = encrypt
smtp_tls_security_level  = encrypt

I assume I add those to the main.cf file in /etc/pmg/templates/. Though I noticed I only have /etc/pmg - no templates folder in there?

 

[tom]

no templates folder in there?

Read again the docs, you need to copy them.

 

[heutger]

Read the manual about the template system, your settings otherwise will get lost with next updates. The security level you can set via GUI and it may not be the best idea to set to encrypt (force encryption), you may use may. Disabling TLSv1 may be right from security point perspective, but some companies still deliver mails via TLSv1. If you disable TLSv1, this messages will be sent in clear text (with second connection), so decision is between weak encryption or no encryption at all. Your cipher suite set is really weak, it should be hardened. You also should send your preferred order instead of let the client choose. You may find additional help on my Advancing Thread.