From 6a0e8815229b2eba4e79c74ab19d35fe54761617 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Mon, 12 Sep 2022 12:53:57 +0200 Subject: [PATCH 1/3] Introduce TLS_PERMISSIVE for port 25 This new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so. --- core/admin/mailu/configuration.py | 1 + core/nginx/conf/nginx.conf | 2 ++ docs/configuration.rst | 2 ++ towncrier/newsfragments/2449.feature | 1 + 4 files changed, 6 insertions(+) create mode 100644 towncrier/newsfragments/2449.feature diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py index 0ba64c84..2f137c0c 100644 --- a/core/admin/mailu/configuration.py +++ b/core/admin/mailu/configuration.py @@ -74,6 +74,7 @@ DEFAULT_CONFIG = { 'PERMANENT_SESSION_LIFETIME': 30*24*3600, 'SESSION_COOKIE_SECURE': True, 'CREDENTIAL_ROUNDS': 12, + 'TLS_PERMISSIVE': True, 'TZ': 'Etc/UTC', # Host settings 'HOST_IMAP': 'imap', diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index f42d43c1..e772bf41 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -317,9 +317,11 @@ mail { ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem; ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem; {% endif %} + {% if TLS_PERMISSIVE == 'true' %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; + {% endif %} starttls on; {% endif %} protocol smtp; diff --git a/docs/configuration.rst b/docs/configuration.rst index 0f9f792c..38ed96f1 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -215,6 +215,8 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1` but slows down the performance of modern devices. +The ``TLS_PERMISSIVE`` (default: true) setting controls whether ciphers and protocols offered on port 25 for STARTTLS are optimized for maximum compatibility. We **strongly recommend** that you do **not** change this setting on the basis that any encryption beats no encryption. If you are subject to compliance requirements and are not afraid of loosing emails as a result of artificially reducing compatibility, set it to 'false'. Keep in mind that servers that are running a software stack old enough to not be compatible with the current TLS requirements will either a) deliver in plaintext b) bounce emails c) silently drop emails; modern servers will benefit from various downgrade protections (DOWNGRD, RFC7507) making the security argument mostly a moot point. + .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739 .. _reverse_proxy_headers: diff --git a/towncrier/newsfragments/2449.feature b/towncrier/newsfragments/2449.feature new file mode 100644 index 00000000..06b9d867 --- /dev/null +++ b/towncrier/newsfragments/2449.feature @@ -0,0 +1 @@ +Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so. From 9a38a22df364caa03820c20fb2ffb8ca5c70a2d8 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 14 Sep 2022 10:59:38 +0200 Subject: [PATCH 2/3] typo --- docs/configuration.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index 38ed96f1..80f97d3a 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -215,10 +215,10 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1` but slows down the performance of modern devices. -The ``TLS_PERMISSIVE`` (default: true) setting controls whether ciphers and protocols offered on port 25 for STARTTLS are optimized for maximum compatibility. We **strongly recommend** that you do **not** change this setting on the basis that any encryption beats no encryption. If you are subject to compliance requirements and are not afraid of loosing emails as a result of artificially reducing compatibility, set it to 'false'. Keep in mind that servers that are running a software stack old enough to not be compatible with the current TLS requirements will either a) deliver in plaintext b) bounce emails c) silently drop emails; modern servers will benefit from various downgrade protections (DOWNGRD, RFC7507) making the security argument mostly a moot point. - .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739 +The ``TLS_PERMISSIVE`` (default: true) setting controls whether ciphers and protocols offered on port 25 for STARTTLS are optimized for maximum compatibility. We **strongly recommend** that you do **not** change this setting on the basis that any encryption beats no encryption. If you are subject to compliance requirements and are not afraid of losing emails as a result of artificially reducing compatibility, set it to 'false'. Keep in mind that servers that are running a software stack old enough to not be compatible with the current TLS requirements will either a) deliver in plaintext b) bounce emails c) silently drop emails; moreover, modern servers will benefit from various downgrade protections (DOWNGRD, RFC7507) making the security argument mostly a moot point. + .. _reverse_proxy_headers: The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings From 85a2aafcdfd6acf336d9188420519056040dd382 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 14 Sep 2022 11:03:44 +0200 Subject: [PATCH 3/3] ghostwheel42's suggestions --- core/nginx/conf/nginx.conf | 2 +- core/nginx/config.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index e772bf41..8fcaef26 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -317,7 +317,7 @@ mail { ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem; ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem; {% endif %} - {% if TLS_PERMISSIVE == 'true' %} + {% if TLS_PERMISSIVE %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; diff --git a/core/nginx/config.py b/core/nginx/config.py index 6afde510..e9c4b50e 100755 --- a/core/nginx/config.py +++ b/core/nginx/config.py @@ -9,6 +9,8 @@ args = os.environ.copy() log.basicConfig(stream=sys.stderr, level=args.get("LOG_LEVEL", "WARNING")) +args['TLS_PERMISSIVE'] = str(args.get('TLS_PERMISSIVE')).lower() not in ('false', 'no') + # Get the first DNS server with open("/etc/resolv.conf") as handle: content = handle.read().split()