Postfix gegen DROWN Attacke absichern
Wer einen Postfix Server betreibt der vor dem 20 Juli 2015 released wurde, oder der explizit SSLv2 aktiviert hat, der sollte seine Konfiguration folgendermaßen anpassen.
Minimal recommended settings
# Minimal recommended settings. Whenever the built-in defaults are
# sufficient, let the built-in defaults stand by deleting any explicit
# overrides. The default mandatory TLS protocols have never included
# SSLv2, check to make sure you have not inadvertently enabled it.
#
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtp_tls_ciphers = medium
Strongly recommended settings
# Strongly recommended:
# http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
# (Note, before applying the setting below, you'll need to create
# the dh2048.pem parameter file as described in FORWARD_SECRECY_README)
#
smtpd_tls_dh1024_param_file=${config_directory}/dh2048.pem
smtpd_tls_eecdh_grade = strong
# Suggested, not strictly needed:
#
smtpd_tls_exclude_ciphers =
EXPORT, LOW, MD5, SEED, IDEA, RC2
smtp_tls_exclude_ciphers =
EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
EDH Server support (Postfix ≥ 2.2, all supported OpenSSL versions)
Optionally generate non-default Postfix SMTP server EDH parameters for improved security against pre-computation attacks and for compatibility with Debian-patched Exim SMTP clients that require a ≥ 2048-bit length for the non-export prime.
Execute as root (prime group generation can take a few seconds to a few minutes):
# cd /etc/postfix
# umask 022
# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
# chmod 644 dh512.pem dh1024.pem dh2048.pem
Postfix gegen POODLE Attacke absichern
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
Postfix gegen FREAK Attacke absichern
smtpd_tls_exclude_ciphers = EXPORT, LOW
Postfix SSL Beispiel Konfiguration
smtpd_tls_cert_file=/etc/letsencrypt/live/rz.siegnetz.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/rz.siegnetz.de/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
Postfix IPv6 Konfiguration
# You must stop/start Postfix after changing this parameter.
inet_protocols = ipv4 (DEFAULT: enable IPv4 only)
inet_protocols = all (enable IPv4, and IPv6 if supported)
inet_protocols = ipv4, ipv6 (enable both IPv4 and IPv6)
inet_protocols = ipv6 (enable IPv6 only)
Der Parameter mynetworks listet die SMTP Clients auf, die als vertrauenswürdig betrachtet werden. Diese
SMTP Clients dürfen Emails relayen.
Es ist darauf zu achten, dass die IPv6 Adressen in [] Klammer definiert werden.
mynetworks = 127.0.0.0/8 [::1]/128 [2a03:2a00:1300:0:5700::10]/128
Der neue Parameter smtp_bind_address6 definiert das Interface für ausgehende IPv6 Verbindungen.
smtp_bind_address6 = 2a03:2a00:1300:0:5700::10
Mehr zu IPv6 und Postfix ist unter Postfix IPv6 README zu finden.
Postfix Konfiguration
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
DNS Konfiguration
Hier wird ein TLSA-Record für den Benutzungstyp “DANE-EE (Domain-issued certificate)” (Wert 3), den Selector “Cert (Hash des vollen Zertifikats)” (Wert 0) mit dem Hash-Algorithmus (Matching-Type) “SHA2-256” (Wert 1) erstellt.
$ openssl x509 -in rz.siegnetz.de.crt -outform DER | openssl sha256
(stdin)=3C4D924C2F17753E9365D58356E6883C5039AB7D870FD1A750AF0EC1 82F73CC1
In Verbindung mit den Flags 3 0 1 ergibt sich der folgende TLSA-Record für den DNS Zonen File:
_25._tcp.rz.siegnetz.de. IN TLSA 3 0 1 3C4D924C2F17753E9365D58356E6883C5039AB7D870FD1A750AF0EC182F73CC1
Testing DANE
# posttls-finger -t30 -T180 -c -L verbose,summary rz.siegnetz.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.rz.siegnetz.de IN TLSA 3 0 1 3C:4D:92:4C:2F:17:75:3E:93:65:D5:83:56:E6:88:3C:50:39:AB:7D:87:0F:D1:A7:50:AF:0E:C1:82:F7:3C:C1
posttls-finger: setting up TLS connection to rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: depth=2 verify=0 subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: depth=2 verify=0 subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: depth=1 verify=1 subject=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: depth=0 verify=1 subject=/CN=rz.siegnetz.de
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: depth=0 matched end entity certificate sha256 digest 3C:4D:92:4C:2F:17:75:3E:93:65:D5:83:56:E6:88:3C:50:39:AB:7D:87:0F:D1:A7:50:AF:0E:C1:82:F7:3C:C1
posttls-finger: rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: subject_CN=rz.siegnetz.de, issuer_CN=thawte DV SSL CA - G2, fingerprint=48:60:45:9A:81:E9:ED:4A:B7:FA:F1:5F:97:1E:5F:7A:28:E8:4B:48, pkey_fingerprint=6A:99:2E:3F:D4:38:2F:0E:56:A7:A7:23:5A:EE:EA:45:51:0A:2A:0B
posttls-finger: Verified TLS connection established to rz.siegnetz.de[2a03:2a00:1300:0:5700::10]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Postfix smtp_address_verify_target
Bei der Adressen Verifizierung ab Postfix > 3.0 gibt es die Möglichkeit
den Punkt der SMTP Verbindung zu konfigurieren, ab wann eine Email Adresse gültig ist.
Bei Exchange 2013 Verbindungen findet dies nach dem DATA Befehl statt.
<- 220 EX.in.siegnetz.de Microsoft ESMTP MAIL Service ready at Wed, 25 Feb 2015 17:28:37 +0100
-> EHLO lab
<- 250-EX.in.siegnetz.de Hello [10.0.0.70]
<- 250-SIZE 52428800
<- 250-PIPELINING
<- 250-DSN
<- 250-ENHANCEDSTATUSCODES
<- 250-STARTTLS
<- 250-X-ANONYMOUSTLS
<- 250-AUTH NTLM
<- 250-X-EXPS GSSAPI NTLM
<- 250-8BITMIME
<- 250-BINARYMIME
<- 250-CHUNKING
<- 250 XRDST
-> MAIL FROM:<hostmaster@siegnetz.de>
<- 250 2.1.0 Sender OK
-> RCPT TO:<unknown@siegnetz.de>
<- 250 2.1.5 Recipient OK
-> DATA
<- 354 Start mail input; end with <CRLF>.<CRLF>
-> Date: Wed, 25 Feb 2015 17:28:37 +0100
-> To: unknown@siegnetz.de
-> From: hostmaster@siegnetz.de
-> Subject: test Wed, 25 Feb 2015 17:28:37 +0100
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
-> .
<** 550 5.1.1 User unknown
-> QUIT
<- 221 2.0.0 Service closing transmission channel
=== Connection closed with remote host.
Um Email Empfänger auf einem Exchange 2013 zu verifizieren,
kann man folgende Postfix Konfiguration verwenden. Der Parameter smtp_address_verify_target
ist mit rcpt oder data zu konfigurieren.
/etc/postfix/main.cf:
address_verify_map = hash:\${data_directory}/verify
address_verify_sender_ttl = 8h
address_verify_sender = no-reply@siegnetz.de
address_verify_relayhost =
address_verify_default_transport = direct_smtp
address_verify_local_transport = \$local_transport
address_verify_positive_refresh_time = 7d
address_verify_positive_expire_time = 31d
address_verify_negative_refresh_time = 3h
address_verify_negative_expire_time = 3d
address_verify_transport_maps = hash:/etc/postfix/verify_transport
/etc/postfix/transport:
smtp-domain-that-verifies-after-data smtp-data-target:
lmtp-domain-that-verifies-after-data lmtp-data-target:
/etc/postfix/master.cf:
direct_smtp unix - - n - - smtp
-o smtp_helo_name=rz.siegnetz.de
smtp-data-target unix - - n - - smtp
-o smtp_address_verify_target=data
-o smtp_helo_name=rz.siegnetz.de
lmtp-data-target unix - - n - - lmtp
-o lmtp_address_verify_target=data
-o smtp_helo_name=rz.siegnetz.de
Exchange 2007 & 2010 Recipient Validation
Mit folgendem Powershell Befehl ist die Recipient Validation bei
Exchange 2007 & 2010 zu aktivieren. Ansonsten nimmt der Exchange jede Email an und versendet
bei nicht existenten Benutzern eine Non-Delivery-Message (NDM).
Set-RecipientFilterConfig -Enabled \$true -RecipientValidationEnabled \$true
Restart-Service MSExchangeTransport
Exchange 2013 Recipient Validation
Auf einem Mailbox Server einen neuen Receive Connector anlegen, der
nur für die Verifizierung genutzt wird.
Add-PSSnapIn -Name Microsoft.Exchange*
\$Port = 2525
\$Server = "<MailboxServerName>"
New-ReceiveConnector -Name RCPT_Verify -Bindings "0.0.0.0:\$(\$Port)" -TransportRole HubTransport -RemoteIPRanges 0.0.0.0-255.255.255.255 -AuthMechanism None -PermissionGroups Anonymous -Server \$Server
\$Command = { New-NetFirewallRule -DisplayName "MSExchange Recipient verify" -Direction inbound -LocalPort \$Port -Protocol TCP -Action ALLOW }
Invoke-Command -ComputerName \$Server -ScriptBlock \$Command
Exchange 2013 Antispam-Agent aktivieren
Damit eine Recipient Verifizierung möglich ist, müssen die AntiSpam Agents
installiert werden. Da nur der Recipient Filter Agent benötigt wird, werden alle anderen
Agent deaktiviert.
cd 'C:\Program Files\Microsoft\Exchange Server\V15\Scripts'
.\install-AntispamAgents.ps1
"Content Filter Agent","Sender Id Agent","Sender Filter Agent","Protocol Analysis Agent" \| Disable-TransportAgent
Restart-Service MSExchangeTransport