{"id":2510,"date":"2014-10-01T11:00:30","date_gmt":"2014-10-01T10:00:30","guid":{"rendered":"https:\/\/beufa.net\/?p=2510"},"modified":"2014-10-01T11:01:33","modified_gmt":"2014-10-01T10:01:33","slug":"perfect-forward-secrecy-pour-postfix-dovecot","status":"publish","type":"post","link":"https:\/\/beufa.net\/fr\/blog\/perfect-forward-secrecy-pour-postfix-dovecot\/","title":{"rendered":"Perfect Forward Secrecy pour Postfix\/Dovecot"},"content":{"rendered":"

Apr\u00e8s mon article sur PFS pour Apache<\/a>, j’ai mis \u00e9galement en place PFS sur mon serveur de messagerie Postfix\/Dovecot, le client K9-Mail pour Android supportant d\u00e9sormais des versions plus r\u00e9centes de TLS, TLSv1.1 et v1.2<\/a>.<\/p>\n

Voici ici quelques \u00e9l\u00e9ments pour r\u00e9aliser cette configuration et augmenter la s\u00e9curisation des flux chiffr\u00e9s.<\/p>\n

<\/p>\n

Postfix<\/h3>\n

Tout d’abord, pour utiliser TLS avec les propri\u00e9t\u00e9s PFS sous Postfix, il faut g\u00e9n\u00e9rer les cl\u00e9s DH<\/a>. Cette op\u00e9ration peut \u00eatre r\u00e9alis\u00e9e par crontab pour am\u00e9liorer encore la s\u00e9curit\u00e9 des communications TLS. Il est \u00e9galement possible de g\u00e9n\u00e9rer un DH \u00e0 2048 bits.<\/p>\n

openssl gendh -out \/etc\/postfix\/dh_512.pem -2 512\r\nopenssl gendh -out \/etc\/postfix\/dh_1024.pem -2 1024<\/pre>\n
Une fois les cl\u00e9s g\u00e9n\u00e9r\u00e9es, il faut modifier le fichier de configuration main.cf de Postfix :<\/p>\n
# Cl\u00e9s DH\r\nsmtpd_tls_dh1024_param_file = \/etc\/postfix\/dh_1024.pem\r\nsmtpd_tls_dh512_param_file = \/etc\/postfix\/dh_512.pem\r\n# Activation d'ECDH\r\nsmtpd_tls_eecdh_grade = strong\r\n# D\u00e9sactivation de SSLv2\r\nsmtpd_tls_protocols= !SSLv2\r\nsmtpd_tls_mandatory_protocols= !SSLv2\r\n# Activation de la cipher list tls_high_cipherlist\r\n# (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\r\nsmtpd_tls_mandatory_ciphers = high\r\n#smtpd_tls_ciphers = high\r\n# Forcer la s\u00e9lection \/ choix de la cipher list c\u00f4t\u00e9 serveur (c\u00f4t\u00e9 client par d\u00e9faut)\r\ntls_preempt_cipherlist = yes\r\n# Suppression des cipher non souhait\u00e9s\r\nsmtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL\r\n# Activation du log cipher pour les connexions entrantes\r\nsmtpd_tls_loglevel = 1\r\n# Activation du log cipher pour les connexions sortantes\r\nsmtp_tls_loglevel = 1<\/pre>\n
Un red\u00e9marrage de Postfix permettra de constater des logs comme celui ci (Merci Google et Amazon AWS\u00a0 ;), indiquant l’utilisation du chiffrement par courbes elliptiques et des propri\u00e9t\u00e9s cipher lists forc\u00e9es.<\/p>\n
postfix\/smtpd[26611]: connect from mail-wg0-x238.google.com[2a00:1450:400c:c00::238]\r\npostfix\/smtpd[26611]: setting up TLS connection from mail-wg0-x238.google.com[2a00:1450:400c:c00::238]\r\npostfix\/smtpd[26611]: Anonymous TLS connection established from mail-wg0-x238.google.com[2a00:1450:400c:c00::238]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128\/128 bits)\r\n\r\npostfix\/smtpd[28846]: connect from a0-41.smtp-out.eu-west-1.amazonses.com[54.240.0.41]\r\npostfix\/smtpd[28846]: setting up TLS connection from a0-41.smtp-out.eu-west-1.amazonses.com[54.240.0.41]\r\npostfix\/smtpd[28846]: Anonymous TLS connection established from a0-41.smtp-out.eu-west-1.amazonses.com[54.240.0.41]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128\/128 bits)\r\n<\/pre>\n
Pour plus de d\u00e9tails sur Perfect Forward Secrecy<\/em> et Postfix , voir le lien<\/a>.<\/p>\n
Dovecot et imapd<\/h3>\n
Pour Dovecot, seul l’IMAPS est actif dans ma solution personnelle de mails, et j’utilise dovecot 2.0<\/p>\n
La premi\u00e8re modification a r\u00e9aliser est donc dans le fichier \/etc\/dovecot\/conf.d\/10-ssl.conf<\/em>, ou on va modifier les ciphers lists :<\/p>\n
# SSL ciphers autoris\u00e9s\r\n# DEFAULT : ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL\r\nssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4\r\n\r\n# Forcer la s\u00e9lection de la cipher list c\u00f4t\u00e9 serveur (disponible uniquement dans les derni\u00e8res versions de Dovecot 2.2.x)\r\n#ssl_prefer_server_ciphers = yes\r\n<\/pre>\n
Une fois cette modification r\u00e9alis\u00e9e, nous allons modifier le logging pour voir apparaitre la ciphers list utilis\u00e9e par le client IMAPS, en ajoutant l’option %k, dans le fichier \/etc\/dovecot\/conf.d\/10-logging.conf<\/em> :<\/p>\n
# Space-separated list of elements we want to log. The elements which have\r\n# a non-empty variable value are joined together to form a comma-separated\r\n# string.\r\n#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c\r\nlogin_log_format_elements = \"user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k\"<\/pre>\n
Un red\u00e9marrage de Dovecot devrait suffire \u00e0 produire \u00e0 la prochaine connexion d’un client le log au format suivant :<\/p>\n
dovecot: imap-login: Login: user=<user@domain.net>, method=PLAIN, rip=2001:41d0:8:dead::beef, lip=2001:41d0:8::ac1d, mpid=15748, TLS, TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256\/256 bits)\r\n<\/pre>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Apr\u00e8s mon article sur PFS pour Apache, j’ai mis \u00e9galement en place PFS sur mon serveur de messagerie Postfix\/Dovecot, le client K9-Mail pour Android supportant<\/p>\n
Continue readingPerfect Forward Secrecy pour Postfix\/Dovecot<\/span><\/a><\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,25],"tags":[53,116,99,98,81,96,97],"class_list":["post-2510","post","type-post","status-publish","format-standard","hentry","category-mail","category-securite-2","tag-imap","tag-mail","tag-perfect-forward-secrecy","tag-pfs","tag-smtp","tag-ssl","tag-tls","entry"],"_links":{"self":[{"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/posts\/2510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/comments?post=2510"}],"version-history":[{"count":2,"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/posts\/2510\/revisions"}],"predecessor-version":[{"id":2512,"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/posts\/2510\/revisions\/2512"}],"wp:attachment":[{"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/media?parent=2510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/categories?post=2510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/beufa.net\/fr\/wp-json\/wp\/v2\/tags?post=2510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}