Postfix, disabling SSLv2: not trivial

[ahingert]

Hi,
I am a new poster, although I've been a lurker for a long time and hope the wealth of experience on LinuxForums can help me solve an issue I've been pulling my hair out for the last week.

I am undergoing PCI compliancy scans and have been able to solve all the issues indicated with the exception of one: SSL Server Supports Weak Encryption Vulnerabilityport over port 25. Now before I go over the list of solutions I've tried let me post my Postfix main.cf and master.cf:

Code:

main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.puntalo.com
mydomain = puntalo.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks = $config_directory/mynetworks
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.5/samples
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
inet_protocols = all

virtual_mailbox_domains         = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_base            = /var/vmail
virtual_mailbox_maps            = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_alias_maps              = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_mailbox_limit_maps      = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_minimum_uid             = 101
virtual_uid_maps                = static:101
virtual_gid_maps                = static:12
dovecot_destination_recipient_limit = 1
local_transport					= virtual

smtpd_sasl_auth_enable          = yes
smtpd_sasl_local_domain         = $myhostname
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options     = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_type                 = dovecot
smtpd_tls_auth_only				= yes
smtpd_sasl_path                 = private/auth

smtp_tls_CAfile                   = /etc/pki/tls/certs/puntalo_com.ca-bundle
smtp_tls_cert_file                = /etc/pki/tls/certs/puntalo_com.crt
smtp_tls_key_file                 = /etc/pki/tls/private/myserver.key
smtp_tls_session_cache_database   = btree:$data_directory/smtp_tls_session_cache
smtp_tls_security_level           = may
smtpd_tls_CAfile                  = /etc/pki/tls/certs/puntalo_com.ca-bundle
smtpd_tls_cert_file               = /etc/pki/tls/certs/puntalo_com.crt
smtpd_tls_key_file                = /etc/pki/tls/private/myserver.key

smtpd_tls_security_level          = may
smtpd_tls_received_header         = yes
smtpd_tls_ask_ccert               = yes
smtpd_tls_loglevel                = 1
tls_random_source                 = dev:/dev/urandom

smtpd_helo_required             = yes
disable_vrfy_command            = yes
non_fqdn_reject_code            = 450
invalid_hostname_reject_code    = 450
maps_rbl_reject_code            = 450


smtpd_recipient_restrictions = 	permit_mynetworks
								permit_sasl_authenticated
								reject_unauth_destination

Code:

master.cf
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
	-o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

(As a side note I need to inform you I am running Fedora 12 and that this version of Postfix (2.6.5) is complied with MySql so it can use PostfixAdmin.)

Anyway, as I said I have tried a number of things so here we go:

I've disabled weak ciphers in the httpd.conf, but this works only on port 443:

Code:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

I've tried diabling weak ciphers in the main.cf file of Postfix, but to no effect:

Code:

smtpd_tls_mandatory_protocols = SSLv3 TLSv1 !SSLv2
smtpd_tls_mandatory_ciphers = medium

I have also tried a number of weird combinations with Postix configuration options, but all to now avail.

Adding the following configuration options to the master.cf file and this indeed allows me to disable SSLv2, but it unfortunately has the side effect of stopping my server from receiving any email:

Code:

 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

Does anybody have any ideas? I am pulling my hair out!


Thanks,
Adrien

[Segfault]

Thanks to Google, see Server-side cipher controls
Postfix TLS Support - SMTP Server specific settings

[ahingert]

Hi Segfault,
Thanks for your quick reply. You seem to be pointing me to a copy of Postfix's documentation which I know quite well by now
(Unfortunately I am not allowed to post the URL here, but a Google search for "postfix tls support" will get you there)

Is there something I have missed here?


Thanks,
Adrien

[Segfault]

Well, it says

With mandatory TLS encryption, the Postfix SMTP server will by default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. This is controlled by the smtpd_tls_mandatory_protocols configuration parameter.

Isn't that what you want?

[ahingert]

In theory, yes, this is what I would need, but somehow it does not work - I don't know why. As you can see from my original post I have already tried this