Virtualmin and PFS

just_me · November 1, 2014, 8:18am

I am thinking about setting up Postfix and Dovecot for PFS, do you see any issues with virtualmin then? As long as i enable the SSL Certs for the Mailservers as well? Or is there any pitfall to avoid in the first place? Don’t want to screw everything up, while it is working perfectly

Thank you and Best j_m

Eric · November 1, 2014, 6:20pm

Howdy,

Hmm, I’m not familiar with PFS. Can you describe how that setup might work?

-Eric

just_me · November 3, 2014, 8:26am

you need Postfix greater 2.6 (best 2.8 or up) and openssl greater 0.9 better 1.0 or up.

You need to create two Diffie Hellman Keys and put them in maincf:

openssl gendh -out /etc/postfix/dh_512.pem -2 512

openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

postconf -e “smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem”

postconf -e “smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem”

postconf -e “smtpd_tls_eecdh_grade = strong”

postconf -e “tls_preempt_cipherlist = yes”

postconf -e “smtpd_tls_loglevel = 1”

postconf -e “smtp_tls_loglevel = 1”

postfix reload

tls_preempt will only be executed from Postfix 2.8 or up, the older versions will ignore this setting.

Dovecot should be 2.1, better 2.2.x

Dovecot uses PFS, but it is not being found in logfiles. Therefore /etc/dovecot/conf.d/10-logging.conf has to be changed into:

login_log_format_elements = “user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k”

Now test the setup:

openssl s_client -starttls smtp -connect mail.example.com:25

openssl s_client -starttls imap -connect imap.example.com:143

EDIT: Here use your own mailserveradress for testing instead of example.com

The output should read something like this:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

So they say, but didn’t try it yet.

just_me · November 10, 2014, 2:46pm

Bump

Francewhoa · April 9, 2020, 11:06pm

Summary

@andreychek “Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.”

Detail

Related Virtualmin more recent ticket at Forward Secrecy - #6 by eclipse
https://en.wikipedia.org/wiki/Forward_secrecy
RFC 2412
SSL and TLS Deployment Best Practices · ssllabs/research Wiki · GitHub
https://archive.md/HwHAx#selection-1547.0-1555.396

Test

This free software allows you to test if your SSL certificate presently installed on a domain name supports PFS at SSL Server Test (Powered by Qualys SSL Labs)

system · May 9, 2020, 11:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.