Hello, I recently changed employers and my new employer is very fond of ISPConfig, which I haven't used so far. At my last employer I taught myself to use Greenbone, formerly OpenVAS to scan new servers before taking them into active service. By default ISPConfig is rather open when it comes to security and Greenbone confirms this. After googling I found a recent and for me rather helpful tutorial for security both Postfix and Docecot, which I can't link yet and added the following lines to the configuration of postfix and dovecot: Postfix: main.cf smtpd_tls_eecdh_grade = strong smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = high smtpd_tls_security_level=may smtpd_tls_ciphers = high tls_preempt_cipherlist = yes smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 Dovecot: /etc/dovecot/conf.d/10-ssl.conf ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:ALL:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SSLv2 ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 ssl_min_protocol = TLSv1.2 Of course I have restarted both services after changing the files. In my understanding this should disable TLS 1.0 and 1.1 in both Postfix and Dovecot. Unfortunately I cant post the screenshot so I try to replicate the result of Greenbone in text form. POP3 Uncrypted Cleartext Login 110 IMAP Uncrypted Cleartext Login 143 SMTP Uncrypted Cleartext Login 25 SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection 465 SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection 587 SSL/TLS Deprecated TLSv1.0 and TLSv1.1 Protocol Detection 25 Why does Greenbone show TLS 1.0 and 1.1 as available and how to I get rid of the unencrypted cleartext logins? Dovecot has a mininum protocol of 1.2 and the configuration I applied explicitly forbids earlier versions. Is this an error in Dovecot or in Greenbone? How can I get a working instance of ISPConfig which gets a rating of not more than "Low". Yours sincerely Stefan
The Dovecot configuration file is /etc/dovecot/dovecot.conf, the file you edited /etc/dovecot/conf.d/10-ssl.conf is not used at all on your server, that's why changes in this file did not work.
You actually have to disable POP3, IMAP and SMTP and allow POP3S, IMAPS and SMTPS only. Regarding dovecot, see dovecot wiki for config options ssl and disable_plaintext_auth: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/ For postfix, see e.g. here: https://unix.stackexchange.com/questions/329028/postfix-dovecot-disable-authentication-on-port-25
How was ISPConfig installed? I have found ISPConfig makes pretty secure setup. What kinds of things does that greenbone complain about?
According to the settings in the first post, the tool complained that we are using a medium SSL cipher set and TLS modes that are compatible with older clients. The tool seems to accept only the latest ciphers as acceptable, which would cause problems on most hosting systems if you don't control the clients as well to enforce that they use only the latest software. The other thing is that SSL on pop3/imap/smtp is offered but not enforced. So ISPConfig is secure, but not a paranoid setup as our support forum here would rapidly fill up with complaints that ISPConfig is not working if we would do so. We switch off older modes on a regular basis, but we have to keep the user base in mind, which means that we can not allow only the latest SSL ciphers or the latest TLS mode.
