Koozali.org: home of the SME Server

Email / Security Advice

Offline gbentley

  • ****
  • 482
  • +0/-0
  • Forum Lurker
    • Earth
Email / Security Advice
« on: February 11, 2017, 12:40:13 PM »
Hi All,

I recently had email from a client who's 'friend' works for an independent pentester company.

In his report he flagged up the following;

Quote
Risk: Medium: TCP 443 / 993

The remote service supports the use of SSL ciphers that offer medium encryption strength; this is currently regarded as those with key length less than 112 bits. 

Note: This particular attack is considerably easier to exploit if the attacker gained access to the LAN.

Reconfigure the service (if possible) to reject the use of medium strength ciphers.

Risk: Medium: TCP 993
The remote service by default uses SSL v3.0, which is known to have several cryptographic flaws. An attacker can exploit these flaws to conduct a man-in-the-middle attack between a client and server or simply decrypt the captured traffic afterwards with a modern machine to read the data sent.

Note: The use of SSL v3 is deemed by NIST as a no longer acceptable means
for secure communications. As of the date of enforcement, PCI DSS v3.1, any version of SSL will not meet the PCI SSC’s definitions of ‘strong cryptography’ and will result in a fail of PCI DSS requirements.

Consult the service’s documentation to disable the use of SSL and instead use TLS 1.1 as a minimum – However its successor TLS 1.2 is recommended.

Risk: Low: TCP 443 / 993

CVE-2014-2566,CVE-2015-2808:
The remote service supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes, decreasing its randomness. If an attacker is able to capture many cipher texts, they could then derive the plaintext.

Reconfigure the service to reject RC4 cipher suites. Previous to above, consider upgrading to TLS1.2 with AES-GCM.

Risk: Low: TCP 443 / 993

CVE-2016-2183, CVE-2016,6329:
The remote service supports the use of a block cipher with 64-bit blocks. This has been identified to be exploitable by a vulnerability known as SWEET32.

In academia proof-of-concepts have shown that an attacker can leverage this vulnerability in as little as 30 hours and recover cookies used to track logged in users. The attacker can then simply add these cookies to their browser and they will then be logged in as the user. 

Reconfigure the service to reject the use of all 64-bit block ciphers.

I am certainly not qualified to form a response to the above however I have figured that so few of the staff ever used Horde or POP3S remotely I would disable those services in Server Manager and remove the port rules on the router [Ports 995 & 443]

The phone need IMAPS so that's a must however I am getting the settings for SMTP round my neck a bit... I have the MX record pointing at the WANIP and hence port 25 forwarded to SME.

In Server Manager > Email Settings > Email Reception > SMTP Authentication - if I 'Disable' does that prevent all external access thus preventing receiving mail from another MTA on 25? Would that also stop Outlook on the LAN sending to SME? In what scenario would the Secure SMTP only be used in?

Thanks in advance for some clarity on this :)



"If you don't know what you want, you end up with a lot you don't."

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Email / Security Advice
« Reply #1 on: February 12, 2017, 01:38:06 PM »
Well, I didn't think SSLv3 was enabled on port 443 any more by default--what's the output of 'config show httpd-e-smith' on your system?  And I thought, though I can't find the bug or the thread at the moment, that there had been an update to disable SSLv3 by default anywhere it would have been used.  Is your system up to date?
......

Offline gbentley

  • ****
  • 482
  • +0/-0
  • Forum Lurker
    • Earth
Re: Email / Security Advice
« Reply #2 on: February 12, 2017, 02:00:33 PM »
Yep, bang up to date :)

Was wondering - is this

https://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0#Disable_encryption.2Fauthentication_of_mail_when_relaying

the same as: Server Manager > Email Settings > Email Reception > SMTP Authentication > Disabled - in 9.x ? Would that then mean no service was using port 465?

If I am using the ISP's outgoing AuthSMTP can I close off router port 465 in any case?

Thanks!
« Last Edit: February 12, 2017, 02:09:10 PM by gbentley »
"If you don't know what you want, you end up with a lot you don't."

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Email / Security Advice
« Reply #3 on: February 12, 2017, 02:30:45 PM »
I don't think you want to disable SMTP authentication, and none of the issues that have been pointed out have anything to do with that--they're all dealing with HTTPS and IMAPS.

Let's try this: what's the output of 'config show | grep -C 10 SSL'?
......

Offline gbentley

  • ****
  • 482
  • +0/-0
  • Forum Lurker
    • Earth
Re: Email / Security Advice
« Reply #4 on: February 12, 2017, 07:07:39 PM »
> what's the output of 'config show httpd-e-smith'

Code: [Select]
# config show httpd-e-smith
httpd-e-smith=service
    SSLv2=disabled
    SSLv3=disabled
    TCPPort=80
    access=public
    status=enabled

> what's the output of 'config show | grep -C 10 SSL'?

Code: [Select]
# config show | grep -C 10 SSL
    imp=installed
    status=disabled
httpd-admin=service
    PermitPlainTextAccess=no
    TCPPort=980
    TKTAuthSecret=366de392-dd77-47be-a46f-8537dcf6dd32
    ValidFrom=
    access=localhost
    status=enabled
httpd-e-smith=service
    SSLv2=disabled
    SSLv3=disabled
    TCPPort=80
    access=public
    status=enabled
imap=service
    ConcurrencyLimit=400
    ConcurrencyLimitPerIP=12
    TCPPort=143
    access=private
    status=enabled
imaps=service
    TCPPort=993
    access=public
    status=enabled
imp=service
    access=SSL
    status=disabled
ippp=service
    status=disabled
irqbalance=service
    status=enabled
isdn=service
    Protocol=2
    UserSyncPPP=yes
    status=disabled
klogd=service
--
    status=enabled
maxAcctNameLength=31
maxGroupNameLength=31
maxIbayNameLength=12
messagebus=service
    status=enabled
microcode_ctl=service
    status=enabled
modPerl=service
    status=disabled
modSSL=service
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/mail.{domain}.co.uk.crt
    key=/home/e-smith/ssl.key/mail.{domain}.co.uk.key
    status=enabled
mysql.init=service
    status=enabled
mysqld=service
    LocalNetworkingOnly=yes

> I don't think you want to disable SMTP authentication, and none of the issues that have been pointed out have anything to do with that

Maybe I should of also asked "What mail services can I disable yet still leave IMAPS available to mobile phones"
« Last Edit: February 12, 2017, 07:11:35 PM by gbentley »
"If you don't know what you want, you end up with a lot you don't."

Offline gbentley

  • ****
  • 482
  • +0/-0
  • Forum Lurker
    • Earth
Re: Email / Security Advice
« Reply #5 on: February 13, 2017, 07:00:26 PM »
# openssl s_client -connect mail.domain.co.uk:imaps

reveals this section in its output ;

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384

I am uncertain in this case whether all possibilities where actually tested when generating the report in my op, or that the responses given matched 'typical' scenarios?
"If you don't know what you want, you end up with a lot you don't."

guest22

Re: Email / Security Advice
« Reply #6 on: February 17, 2017, 09:33:50 AM »
Well, I didn't think SSLv3 was enabled on port 443 any more by default--what's the output of 'config show httpd-e-smith' on your system?  And I thought, though I can't find the bug or the thread at the moment, that there had been an update to disable SSLv3 by default anywhere it would have been used.  Is your system up to date?


I think this will point to the right information: https://bugs.contribs.org/show_bug.cgi?id=8852

guest22

Re: Email / Security Advice
« Reply #7 on: February 17, 2017, 09:50:18 AM »
And this test will show you some useful information too https://www.ssllabs.com/ssltest/