mailserver test problem with "key exchange parameters"

Discussion in 'General' started by Robin.k, Aug 7, 2021.

Page 1 of 2
  1. Robin.k

    Robin.k Member

    Hi,
    When I test online the ISPconfig 3 mail server with the website "en.Internet.nl", I get the message key exchange parameters

    How can I solve this problem?

    Kind Regards
    Rob
    Schermafbeelding 2021-08-07 om 07.53.08.png
     
    Last edited: Aug 16, 2021
    Robin.k, Aug 7, 2021
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Taleman, Aug 8, 2021
    #2
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Which OS and which ISPConfig version are you running?
     
    Th0m, Aug 9, 2021
    #3
  4. Robin.k

    Robin.k Member

    Hi Taleman and Tom,
    I run on Debian 10 and ISPConfig 3.2.5
    Code:
    ##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 10 (buster)
 
[INFO] uptime:  22:37:42 up 12:36,  0 users,  load average: 0,19, 0,18, 0,12
 
[INFO] memory:
              total        used        free      shared  buff/cache   available
Mem:          3,6Gi       2,0Gi       706Mi        53Mi       907Mi       1,3Gi
Swap:          83Gi        20Mi        83Gi
 
[INFO] systemd failed services status:
  UNIT                       LOAD   ACTIVE SUB    DESCRIPTION         
● certbot.service            loaded failed failed Certbot             
● systemd-quotacheck.service loaded failed failed File System Quota Check

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.5


##### VERSION CHECK #####

[INFO] php (cli) version is 7.3.29-1~deb10u1
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.3.29

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Apache 2 (PID 2466)
[INFO] I found the following mail server(s):
    Postfix (PID 1092)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 695)
[INFO] I found the following imap server(s):
    Dovecot (PID 695)
[INFO] I found the following ftp server(s):
    PureFTP (PID 1138)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
[anywhere]:993        (695/dovecot)
[anywhere]:995        (695/dovecot)
[localhost]:10023        (780/postgrey)
[localhost]:10024        (1237/amavisd-new)
[localhost]:10025        (1092/master)
[localhost]:10026        (1237/amavisd-new)
[localhost]:3306        (677/mysqld)
[localhost]:10027        (1092/master)
[anywhere]:587        (1092/master)
[localhost]:11211        (569/memcached)
[anywhere]:110        (695/dovecot)
[anywhere]:143        (695/dovecot)
[anywhere]:465        (1092/master)
[anywhere]:21        (1138/pure-ftpd)
***.***.***.***:53        (587/named)
[localhost]:53        (587/named)
[anywhere]:22        (607/sshd)
[anywhere]:25        (1092/master)
[localhost]:953        (587/named)
*:*:*:*::*:3389        (678/xrdp)
*:*:*:*::*:993        (695/dovecot)
*:*:*:*::*:995        (695/dovecot)
*:*:*:*::*:10023        (780/postgrey)
*:*:*:*::*:10024        (1237/amavisd-new)
*:*:*:*::*:10026        (1237/amavisd-new)
*:*:*:*::*:587        (1092/master)
[localhost]10        (695/dovecot)
[localhost]43        (695/dovecot)
*:*:*:*::*:8080        (2466/apache2)
*:*:*:*::*:80        (2466/apache2)
*:*:*:*::*:8081        (2466/apache2)
*:*:*:*::*:465        (1092/master)
*:*:*:*::*:21        (1138/pure-ftpd)
*:*:*:*::*:53        (587/named)
*:*:*:*::*:3350        (618/xrdp-sesman)
*:*:*:*::*:22        (607/sshd)
*:*:*:*::*:25        (1092/master)
*:*:*:*::*:953        (587/named)
*:*:*:*::*:443        (2466/apache2)




##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target     prot opt source               destination       
f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multi
port dports 25

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination       

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination       
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with
icmp-port-unreachable
REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with i
cmp-port-unreachable
RETURN     all  --  [anywhere]/0            [anywhere]/0         




##### LET'S ENCRYPT #####
Certbot is installed in /usr/bin/letsencrypt
     
    Robin.k, Aug 9, 2021
    #4
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The test you refer to compains about
    Code:
    Mail server (MX)    Affected TLS versions    Status
mail.triumph-tr2.com.    TLS 1.1    phase out
...    TLS 1.0    phase out
    Debian 10 has newer versions of the necessary protocols.
    I have in my SSLProtocol setting "... -TLSv1 -TLSv1.1 ..." which disables those to your test complains about. Have you altered that setting in Apache configuration? How was this host installed?
     
    Taleman, Aug 9, 2021
    #5
  6. Robin.k

    Robin.k Member

    Robin.k, Aug 9, 2021
    #6
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Taleman, Aug 10, 2021
    #7
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should keep TLSv1 and TLSv1.1 enabled for now, because of old mailservers not supporting newer protocols. Also, the SSLProtocol does not cause your current issue. The problem is that you are using a self signed DH key.

    To fix this:
    Code:
    nano /etc/ssl/private/ffdhe4096.pem
    Put this pre-defined group in there:
    Code:
    -----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----
    Then, define that .pem file in the Postfix config:
    Code:
    smtpd_tls_dh1024_param_file = /etc/ssl/private/ffdhe4096.pem
    You can follow this guide on how to add custom config for your postfix setup that is not overwritten with the next ISPConfig update: https://www.howtoforge.com/communit...-for-custom-postfix-and-dovecot-config.86559/

    I have a 100% score on internet.nl and belong to the internet.nl hall of fame of hosters, so I am sure this works ;)
     
    Th0m, Aug 10, 2021
    #8
  9. Robin.k

    Robin.k Member

    Hi Tom,

    Thanks for the information.
    I tried what you write above, but stil get this warming on internet.nl. I put the pre-defined group in /etc/ssl/private/ffdhe4096.pem
    And after this I define smtpd_tls_dh1024_param_file = /etc/ssl/private/ffdhe4096.pem in /etc/postfix/main.cf
    but still get this warning Failed: Key exchange parameters on internet.nl
     
    Robin.k, Aug 10, 2021
    #9
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you restarted Postfix?
     
    Th0m, Aug 10, 2021
    #10
  11. Robin.k

    Robin.k Member

    Hi Tom,
    I restarted Postfix with sudo /etc/init.d/postfix restart.
    But still the I get the warning in internet.nl.
    View attachment 6826
     
    Robin.k, Aug 11, 2021
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    On Debian 10, you normally use systemd to restart services. using init scripts may cause the daemon to not restart under some circumstances..

    systemctl restart postfix
     
    till, Aug 11, 2021
    #12
  13. Robin.k

    Robin.k Member

    Hi Till, I tried "systemctl restart postfix"
    Still get this warning key exchange on internet.nl
     
    Last edited: Aug 16, 2021
    Robin.k, Aug 11, 2021
    #13
  14. Robin.k

    Robin.k Member

    Hi, still not A+ for mail TSL.
    There are to solve 2 errors, as show below.
    How can I solve
    A) Cipher order
    B) Key exchange parameter
     
    Robin.k, Aug 12, 2021
    #14
  15. Robin.k

    Robin.k Member

    Hi, still not A+ for mail TSL.
    There is only one error to solve !
    How can I solve
    A) Cipher order

    How to solve this Cipher order?
     
    Robin.k, Aug 12, 2021
    #15
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think the setting would be
    Code:
    tls_preempt_cipherlist = yes
     
    Th0m, Aug 12, 2021
    #16
  17. Robin.k

    Robin.k Member

    Hi,
    Yes.... now I have a 100% score on internet.nl
    Thanks for pointing me in the right direction.
     
    Robin.k, Aug 15, 2021
    #17
    Th0m likes this.
  18. Robin.k

    Robin.k Member

    Hi,
    I'am now testing the website score, this is 97% but I also get this error.
    What should I change in /etc/apache2/mods-available/ssl.conf to get rid off this error.

    Key exchange parameters
    Verdict:
    Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.

    Technical details:
    Web server IP address Affected parameters Status
    DH-4096 insufficient
    DH-4096 insufficient

    Thanks
     
    Robin.k, Aug 17, 2021
    #18
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have added these lines to that file:
    Code:
    SSLOpenSSLConfCmd ECDHParameters Automatic
SSLOpenSSLConfCmd Curves prime256v1:secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/ffdhe4096.pem"
     
    Th0m, Aug 17, 2021
    #19
  20. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Are these tweaks appropriate for the general ISPConfig install base? Or they break some clients, and should only be made by select folks who want top ssl ratings at the expense of some client breakage?
     
    Jesse Norell, Aug 17, 2021
    #20
Page 1 of 2

Share This Page