OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Disabling SSLv2 on Postfox 2.5.1

From: Jake Vickers (jakev2gnu.com)
Date: Fri Jul 24 2009 - 06:08:58 CDT

Jake Vickers wrote:
> Barney Desmond wrote:
>> 2009/7/24 Jake Vickers <jakev2gnu.com>:
>>
>>> I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
>>> installation (from Fedora 9 repo). Here is my postconf:
>>>
>>
>>
>>> $ postconf -n
>>>
>> <snip>
>>
>>> smtpd_tls_mandatory_protocols = !SSLv2
>>>
>>
>> As documented, this shouldn't be necessary:
>> http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols
>>
>>
>>> And when I try and check (from another machine) to see if it's still active:
>>>
>>> openssl s_client -connect 192.168.0.10:25 -ssl2
>>>
>>> I get this:
>>>
>>>> CONNECTED(00000003)
>>>>
>>> That means it's still answering SSLv2 correct?
>>>
>>
>> Does it? It means you're getting a connection, it doesn't mean you're
>> getting past that point. You really want to test for TLS anyway, so
>> use openssl's SMTP protocol support. An example from my own TLS setup
>> (seeing as you haven't been forthcoming with details of your own):
>>
>> % openssl s_client -connect yoshino.meidokon.net:587 -starttls smtp -ssl2
>> CONNECTED(00000003)
>> write:errno=104
>>
>> It works fine if you remove the "-ssl2".
>>
>
> That's where it confuses me on my end. You see that I have
> smtpd_tls_mandatory = !SSLv2 in my config (even though the
> documentation says I do not need it), but when I use your command I
> get a connection and my certificate:
>
>
> jakejake-desktop:~$ openssl s_client -connect 270.271.204.26:587
> -starttls smtp -ssl2
> CONNECTED(00000003)
> depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See
> www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
> RapidSSL(R)/CN=mail.network.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See
> www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
> RapidSSL(R)/CN=mail.network.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See
> www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
> RapidSSL(R)/CN=mail.network.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIDODCCAqGgAwIBAgIDDBRgMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNzIyMDY1ODA0WhcNMTAwNzI0MTMwNjAw
>
> <--snip-->
>
> subject=/C=CA/O=mail.network.com/OU=GT11322033/OU=See
> www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
> RapidSSL(R)/CN=mail.network.com
> issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---
> No client certificate CA names sent
> ---
> Ciphers common between both SSL endpoints:
> RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
> EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
> ---
> SSL handshake has read 1172 bytes and written 271 bytes
> ---
> New, SSLv2, Cipher is DES-CBC3-MD5
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : SSLv2
> Cipher : DES-CBC3-MD5
> Session-ID: 75F9B5C96A96710363065077390D449B
> Session-ID-ctx:
> Master-Key: 94D5D80849D4EBC3A89E13A25EEF4009499F04CDE5821EF8
> Key-Arg : DC09C51C27AE4A04
> Start Time: 1248431958
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> 250 DSN
>
> <--end-->
>
>
>
> This is why I am confused. I shouldn't need to turn it off, and I
> explicitly state to do so in the config, but it still allows SSLv2
> connections.
>

I also tried these settings (smtpd_tls_mandatory_protocols = !SSLv2) on
a Debian build (running 2.3.8) with a self-signed cert and am still
getting a SSLv2 connection. I'm sure I'm missing something glaringly
obvious...