Proxmox 5.2 - disable TLS 1.0?

cphillips

New Member
Jul 18, 2019
6
0
1
47
All.

I have installed Promox Mail Gateway 5.2. As part of a business solution, this server needs to pass a PCI-DSS scan every 4 months.

One of the things the scan checks for is the disablement of TLS 1.0. I've run a scan against the Proxmox server and it is coming back as TLS 1.0 being enabled.

Can someone advise how I disable this please? I have done a search and couldn't find a definitive answer.

Thanks in advance.
 
Please provide more details about what you test and what connection you talk about, post the full detail of this test.
 
Tom,

Ok. The company has an externally facing mail server (Proxmox Mail Gateway). This has port 25 open to the internet to allow emails to be received. When emails are coming in to Proxmox they are not allowed to use the TLS 1.0 protocol in Postfix to communicate as this is deemed insecure. I need it to use TLS 1.2/1.3

https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php as an example gives more detail.

So to summarise, I need to disable TLS 1.0 on Postfix. I did add some lines to main.cf in /etc/postfix but after a reboot they have been removed.

A scan by Security Metrics is flagging this as a vulnerability.
 
What do you get by running this test on your Proxmox Mail Gateway?

> openssl s_client -debug -starttls smtp -crlf -connect localhost:25
 
What do you get by running this test on your Proxmox Mail Gateway?

> openssl s_client -debug -starttls smtp -crlf -connect localhost:25
Tom,

This produced loads of output (screens and screens). Was there any particular part you were interested in?
 
Thanks Tom.

I need to add the following lines to my main.cf Postfix file:

Code:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1

Code:
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
                           DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
                           RSA+AES, eNULL

As a side note, you also need to force some form of encryption with the following two lines:

Code:
smtpd_tls_security_level = encrypt
smtp_tls_security_level  = encrypt

I assume I add those to the main.cf file in /etc/pmg/templates/. Though I noticed I only have /etc/pmg - no templates folder in there?
 
Read the manual about the template system, your settings otherwise will get lost with next updates. The security level you can set via GUI and it may not be the best idea to set to encrypt (force encryption), you may use may. Disabling TLSv1 may be right from security point perspective, but some companies still deliver mails via TLSv1. If you disable TLSv1, this messages will be sent in clear text (with second connection), so decision is between weak encryption or no encryption at all. Your cipher suite set is really weak, it should be hardened. You also should send your preferred order instead of let the client choose. You may find additional help on my Advancing Thread.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!