TLS Hardening

Discussion in 'Mail Gateway: Installation and configuration' started by andrewo, Nov 30, 2018.

  1. andrewo

    andrewo New Member

    Joined:
    Nov 30, 2018
    Messages:
    4
    Likes Received:
    0
    Hi Guys,

    We ran a vulnerability scan against our ProxMox Mail Gateway (5.0-61) and it came back with several issues all relating to TLS. Summary of the issues below:

    1. TLS 1.0 supported, which is insecure
    2. TLS 1.1 supported, which is insecure
    3. SSL Anonymous ciphers supported

    After some digging, turns out these issues can be addressed by modifying main.cf by adding something like the following:

    smtpd_tls_protocols = TLSv1.2,!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
    smtpd_tls_ciphers = high

    The issue is after saving main.cf and rebooting the appliance the changes are reverted to default. Also, at the top of the config it says "# auto-generated by proxmox" leading me to believe this is overwritten by ProxMox.

    Can somebody clarify how we can harden our deployment to close these security gaps?

    Thanks,
    Andrew
     
  2. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    2,937
    Likes Received:
    266
    you should not modify the main.cf directly, but copy and use the template for that, see
    https://<your-pmg-host>:8006/pmg-docs/pmg-admin-guide.html#_service_configuration_templates
    for that
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. andrewo

    andrewo New Member

    Joined:
    Nov 30, 2018
    Messages:
    4
    Likes Received:
    0
    Thank you for these additional details. Just so I'm completely clear, can you confirm the below steps are accurate?
    1. Copy /var/lib/pmg/templates/main.cf.in to /etc/pmg/templates/main.cf.in
    2. Edit /etc/pmg/templates/main.cf.in and add the config I referenced in my post
    3. Save /etc/pmg/templates/main.cf.in
    4. Run the following command to apply the changes: pmgconfig sync --restart 1
     
  4. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    2,937
    Likes Received:
    266
    yes
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. andrewo

    andrewo New Member

    Joined:
    Nov 30, 2018
    Messages:
    4
    Likes Received:
    0
    Thanks! Does location of where I dump the new config in main.cf.in matter?
     
  6. dcsapak

    dcsapak Proxmox Staff Member
    Staff Member

    Joined:
    Feb 1, 2016
    Messages:
    2,937
    Likes Received:
    266
    it should not matter
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    331
    Likes Received:
    78
    Hi Andrew,

    be careful. I tried to harden my SMTP configuration as well such a way a long time ago and stopped doing so. You will reject many senders and the German federal information security office recommends either also to allow NULL ciphers because of worse configured incoming or outgoing mail server partners. So for HTTP it works well to harden the configuration, but for mail servers, I won't be too strict, if you don't want to reject legit senders, which are just using mail servers of lame admins.

    Regards,
    Christian
     
  8. andrewo

    andrewo New Member

    Joined:
    Nov 30, 2018
    Messages:
    4
    Likes Received:
    0
    Hi Christian - Thank you for your comment. Since we leverage opportunistic TLS, will it not simply fallback to sending an unencrypted message if it is not possible to do so using strong encryption? Let me know your thoughts.
     
  9. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    331
    Likes Received:
    78
    I thought the same, but I found, that if someone is entering the STARTTLS dialogue, why stay in this dialogue and it can result, that they then get declined because of incompatible cipher suites. It looks like they then won't fall back to no TLS again. That were my experiences with large providers like 1&1, which don't support modern cipher suites and therefor connection has been dropped and they can't send me mails anymore. Sad but true it's like SPF, on HTTP(S) harder requirements are running well, but on mail way, they don't. However, best encryption is end-to-end encryption on the mail way, e.g. with S/MIME.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice