dovecot, openssl, TLS1.0

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

dovecot, openssl, TLS1.0

Jan Foniok-2
Hi,

Apple Mail on El Capitan doesn't seem to support protocols TLS higher than 1.0 or 1.1.
Older hardware (9 years) is not supported by newer MacOS versions.

A recent update of debian seems to have disabled these protocols for dovecot imap.

What is the best way out? Can TLS1.0 and 1.1 be enabled?

Thanks,
Jan

Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Reco
On Mon, Nov 05, 2018 at 02:29:51PM +0100, Jan Foniok wrote:
> Hi,
>
> Apple Mail on El Capitan doesn't seem to support protocols TLS higher than 1.0 or 1.1.
> Older hardware (9 years) is not supported by newer MacOS versions.
>
> A recent update of debian seems to have disabled these protocols for dovecot imap.
>
> What is the best way out? Can TLS1.0 and 1.1 be enabled?

/etc/dovecot/conf.d/10-ssl.conf contains "ssl_protocols" variable that can
be used to specify announced TLS versions.
If it fails to work for you - it's probably possible to 'solve' the
problem by downgrading "libssl1.1".
Of course that also means opening your server to all kinds of
exploitation, so replacing this "Apple Mail" with actual e-mail client
is definitely the way to go.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Brad Rogers
In reply to this post by Jan Foniok-2
On Mon, 5 Nov 2018 14:29:51 +0100
Jan Foniok <[hidden email]> wrote:

Hello Jan,

>What is the best way out? Can TLS1.0 and 1.1 be enabled?

On 31 Oct, updates included info regarding TLS.  Read the mail sent to
sysadmin for options.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
You're only 29 got a lot to learn
Seventeen - Sex Pistols

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Brad Rogers
On Mon, 5 Nov 2018 17:46:14 +0100
Jan Foniok <[hidden email]> wrote:

Hello Jan,

Putting this back on D-U...

>thanks a lot for your reply and excuse my inexperience.

My apologies;  That's my fault.  I made an unwarranted assumption about
your experience level.

>In spite of some effort I haven't found this sysadmin. Can you please
>give me some pointers...

Important information regarding an update, such as a change in default
behaviour of a package, is emailed to the sysadmin user.  This is usually
root, IIRC, but can be reconfigured to be anybody.  To read it, either
set up your email package to check for mail locally (i.e. collect it from
/var/mail/username), or simply look at the message in /var/mail/ -
it's plain text, of course.

Just in case it's gone, I repeat the message in its entirety here:

<quote>
openssl (1.1.1-2) unstable; urgency=medium

  Following various security recommendations, the default minimum TLS
  version has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft,
  Google and Apple plan to do same around March 2020.

  The default security level for TLS connections has also be increased
  from level 1 to level 2. This moves from the 80 bit security level to
  the 112 bit security level and will require 2048 bit or larger RSA and
  DHE keys, 224 bit or larger ECC keys, and SHA-2.

  The system wide settings can be changed in /etc/ssl/openssl.cnf.
  Applications might also have a way to override the defaults.

  In the default /etc/ssl/openssl.cnf there is a MinProtocol and
  CipherString line. The CipherString can also sets the security level.
  Information about the security levels can be found in the
  SSL_CTX_set_security_level(3ssl) manpage. The list of valid strings
  for the minimum protocol version can be found in SSL_CONF_cmd(3ssl).
  Other information can be found in ciphers(1ssl) and config(5ssl).

  Changing back the defaults in /etc/ssl/openssl.cnf to previous system
  wide defaults can be done using:
  MinProtocol = None
  CipherString = DEFAULT
</quote>

Hopefully, that points you in the right direction, and you'll be able
to make adjustments to your set up to suit your needs.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
You don't entertain ideas you simply bore them
I Don't Like You - Stiff Little Fingers

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Jan Foniok-2
Hello,

> On 5 Nov 2018, at 21:19, Brad Rogers <[hidden email]> wrote:

>> In spite of some effort I haven't found this sysadmin. Can you please
>> give me some pointers...
>
> Important information regarding an update, such as a change in default
> behaviour of a package, is emailed to the sysadmin user.  This is usually
> root, IIRC, but can be reconfigured to be anybody.

Is there a package that needs to be installed for that to happen?

On my postfix installation there is no sysadmin alias (there is system, admin, and many others). Nor is there any sign of undelivered emails to sysadmin in the mail logs.

>  Changing back the defaults in /etc/ssl/openssl.cnf to previous system
>  wide defaults can be done using:
>  MinProtocol = None
>  CipherString = DEFAULT

This helps indeed, even though I recognise that there is a security issue.

I hope either Apple will fix OS X El Capitan to fully support TLSv1.2, or users will stop using 9-year-old laptops that cannot be upgraded any further than that OS X version. (But why chuck a perfectly working computer??)

Thanks again for your help,
Jan


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Brad Rogers
On Tue, 6 Nov 2018 15:15:48 +0000
Jan Foniok <[hidden email]> wrote:

Hello Jan,

>Is there a package that needs to be installed for that to happen?

I believe that exim is installed (at least in part) for this.
>
>On my postfix installation there is no sysadmin alias (there is system,

I didn't mean sysadmin literally.  I meant it as in "whoever has the
role of sysadmin".  Usually root, IIRC.  I know I changed it on my
system to have the mail sent to my username.  That was nearly ten years
ago, and I cannot remember what I did to change it.  I do know it wasn't
too difficult, though(0).

>admin, and many others). Nor is there any sign of undelivered emails to
>sysadmin in the mail logs.

Look in /var/mail/ and see what user names exist, and what, if any, mail
exists in their relevant directories.  This may require superuser
privileges(1) to enable you to access all mail directories.

(0)  Otherwise, I wouldn't have done it.   :-)

(1)  IDK for sure, since there's only one user listed under /var/mail/ on
my system - my username.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Save me from everybody else
Prisoners - Judgement Centre

attachment0 (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Michael Wagner
On Nov 06, 2018 at 16:43:57, Brad Rogers wrote:

> On Tue, 6 Nov 2018 15:15:48 +0000 Jan Foniok <[hidden email]> wrote:
> >Is there a package that needs to be installed for that to happen?
>
> I believe that exim is installed (at least in part) for this.
> >
> >On my postfix installation there is no sysadmin alias (there is system,
>
> I didn't mean sysadmin literally.  I meant it as in "whoever has the
> role of sysadmin".  Usually root, IIRC.  I know I changed it on my
> system to have the mail sent to my username.  That was nearly ten years
> ago, and I cannot remember what I did to change it.  I do know it wasn't
> too difficult, though(0).

You must change /etc/aliases, when an MTA is installed.

Hth Michael

--
If Murphy's Law can go wrong, it will.

Reply | Threaded
Open this post in threaded view
|

Re: dovecot, openssl, TLS1.0

Brad Rogers
On Tue, 6 Nov 2018 18:11:54 +0100
Michael Wagner <[hidden email]> wrote:

Hello Michael,

>You must change /etc/aliases, when an MTA is installed.
>Hth Michael

I knew it was something simple.  Thanks Michael.

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
I'll be the rubbish you'll be the bin
Love Song - The Damned

attachment0 (499 bytes) Download Attachment