Dear mailserver operators: PLEASE stop using SSLv3!

I look after a few email servers and after implementing much stricter encryption settings at the start of the year, I noticed some emails were never making it to accounts - being rejected at the negotiation stage (where the remote server sending the email agrees an encryption protocol and cipher with the local server).

I was puzzled by this. TLS is hardly new, yet these servers were only ever attempting to use SSLv3 and then failing to 'upgrade' to TLS - not even TLS1.0. Poor show.

This isn't unique either - I periodically run a script which reports the spread of protocols and ciphers of incoming email connections; here's a sample from one server for the last hour...

   151 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
      1 TLSv1.2 with cipher DHE-RSA-AES128-SHA
      1 TLSv1.2 with cipher DHE-RSA-AES256-SHA256
     52 TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256
     69 TLSv1.2 with cipher AES128-SHA
     86 SSLv3 with cipher DHE-RSA-AES256-SHA

WTF! OK, so the overwhelming number of sending MTAs are using TLS1.2 with a strong cipher, great. Note, NONE are using TLSv1.3. 🙁 But 86 MTAs still using SSLv3 with DHE-RSA-AES256-SHA?! Seriously...

If you run Postfix or equivalent MTA, this oneliner into a bash script will give you a nice tabulated output on demand[1]I typically filter 'unknown' connections as they're usually connecting clients. If you want to include those, remove the piped section where I grep -v (inverting a match). For the full output, only … Continue reading:

#!/bin/sh
egrep "TLS connection established from.*with cipher" /var/log/maillog | grep -v -E "unknown\[" | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -

Please mailops, sort it out. SSLv3 needs to be dead already. I understand the pragmatic approach of supporting SSLv3 for incoming, but at some point we need to collectively draw a line in the sand.

Here's a handy list of ciphers and compatibility recommendations, and here's a quick guide for RHEL OSes on how to quickly disable SSLv2 and SSLv3 support in Postfix.

Bonus Postfix config excerpts

smtpd_tls_mandatory_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, DES, ADH, RC2, RC4, RC5, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, DES, ADH, RC2, RC4, RC5, PSD, SRP, 3DES, eNULL, aNULL

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
smtp_tls_exclude_ciphers = ${smtpd_tls_exclude_ciphers}

smtp_tls_protocols = !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = !TLSv1, !SSLv2,
# denying SSLv3 bars too many legit emails, so permitted for now.
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = !TLSv1, !SSLv2
smtp_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_auth_only = yes
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128
-SHA:AES128-SHA

While not a complete config, hopefully it gives you some inspiration.

Further reading: better encryption and Postfix hardening

Any thoughts / want to agree or disagree with anything I've said? Tweet or comment below, insight from others is always a good learning opportunity.

References

References
1 I typically filter 'unknown' connections as they're usually connecting clients. If you want to include those, remove the piped section where I grep -v (inverting a match). For the full output, only run the first command in the chain.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via email. You can also subscribe without commenting.

I