Hello, I was searching for a while how to solve an issue I had with the Key Exchange Paramaters failing in the test. All postfix guides point you to self generate the dh challenge to 2048 which is not deemed safe anymore. The line used is this: openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem when you try to up this to 4096 it will not make any change since according to RFC 7919 DH is no longer safe. After a lot of trials and errors I have found a solution which is working for me.. and is is so simple... (if you download the correct file) I downloaded this file: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem Modified the main.cf to reflect this: smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe4096.pem Code: cd /etc/postfix wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem chmod 644 ffdhe4096.pem postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/ffdhe4096.pem" service postfix restart I really would have liked to get this working with the elliptic curves which are good instead of sufficient but after a lot of trials and errors this was the best I could do at this moment. For other services: Dovecot: Code: vi /etc/dovecot/dovecot.conf #replace the line starting with ssl_dh with ssl_dh = </etc/postfix/ffdhe4096.pem Restart Dovecot Code: service dovecot restart For Apache, there was a lot more wrong (at least in my config) Added to /etc/apache2/apache2.conf Code: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLOpenSSLConfCmd DHParameters /etc/postfix/ffdhe4096.pem SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off Restart Apache Code: service apache2 restart PureFTPd: Code: cp /etc/postfix/ffdhe4096.pem /etc/ssl/private/pure-ftpd-dhparams.pem service pure-ftpd-mysql restart
Good point. Don't forget to use the file also for apache/dovecot and/or other services you are using!
Didn't think of that... Dovecot: Code: vi /etc/dovecot/dovecot.conf #replace the line starting with ssl_dh with ssl_dh = </etc/postfix/ffdhe4096.pem Restart Dovecot Code: service dovecot restart For Apache, there was a lot more wrong (at least in my config) Added to /etc/apache2/apache2.conf Code: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLOpenSSLConfCmd DHParameters /etc/postfix/ffdhe4096.pem SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off Restart Apache Code: service apache2 restart PureFTPd: Code: cp /etc/postfix/ffdhe4096.pem /etc/ssl/private/pure-ftpd-dhparams.pem service pure-ftpd-mysql restart
I put the .pem in a central directory so all services use the same file. I have 100% on both tests now.
How did you go around the Pure-FTP with the central location? I couldn't find where to configure that
Be aware, that in the standard configuration, ISPconfig overwrites (some) SSL settings in the vhost files. For myself I created a custom master vhost without the SSL configuration and do all config in /etc/apache2/mods-enabled/ssl.conf I have the original file in /etc/ssl/private/ and all programs refer to that.
Could you post your other tls related configuration parameters for postfix? I tried the ffdhe4096 pem file mentioned but still get the same "Key exchange parameters" failure.
Sorry for the late reply. I didn't receive a notification Code: smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/smtpd.cert #smtpd_tls_cert_file = /etc/postfix/smtpd.pem smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_CAfile = /etc/postfix/ca.crt smtp_tls_security_level = may smtp_tls_mandatory_protocols = !TLSv1,!TLSv1.1,!SSLv2,!TLSv3 smtpd_tls_mandatory_protocols = !TLSv1,TLSv1.1,!SSLv2, !SSLv3 smtpd_tls_protocols = !TLSv1,!TLSv1.1,!SSLv2,!SSLv3 smtp_tls_protocols = !TLSv1,!TLSv1.1,!SSLv2,!SSLv3 smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe4096.pem smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem smtpd_tls_eecdh_grade = auto tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = medium smtpd_tls_ciphers = medium smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers lmtp_tls_ciphers = $smtpd_tls_ciphers tls_ssl_options = NO_RENEGOTIATION smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
@SpeedyB you might want to recheck your config file. shouldn't that be: Code: smtp_tls_mandatory_protocols = !TLSv1,!TLSv1.1,!SSLv2,!SSLv3
I think this must be wrong during the copy paste and autocorrect... the config was configured with !SSLv3 on both lines. This was a copy from a offline copy of a file.. So I might have already fixed it before..
