search

imthenachoman / How-To-Secure-A-Linux-Server

An evolving how-to guide for securing a Linux server.
Creative Commons Attribution Share Alike 4.0 International
17.25k stars 1.1k forks source link

Add information on how to use implicit TLS #26

Closed ghost closed 5 years ago

ghost commented 5 years ago

Fixes #24

imthenachoman commented 5 years ago

Something is fishy. I deleted the cert files to see what would happen and the e-mail still went through. I will have to play with this some more.

ghost commented 5 years ago

Deleting the certs won't prevent the mail from going through, but there won't be any encryption I don't think. Here's what I get with openssl s_client -connect localhost:465 before/after deleting the certs:

CONNECTED(00000003)
depth=0 C = US, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, CN = localhost
verify return:1
# etc...

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
# etc...
imthenachoman commented 5 years ago

So according to tcpdump, it does look like this makes the request through 465. It fails if openssl is not installed. And it works after openssl is installed even before a cert is created. But to your point, it would still work but wouldn't be encrypted. I will investigate how to confirm if it is being encrypted.

This is great stuff by the way. Thank you so much!

imthenachoman commented 5 years ago

sendmail -v shows some interesting details. Will investigate more.

ghost commented 5 years ago

Using swaks these are my results:

remyabel@instance-1:~$ sudo swaks --protocol smtps -tlsc --tls-cert /etc/exim4/exim.crt --tls-key /etc/exim4/exim.key -q HELO -s localhost
=== Trying localhost:465...
=== Connected to localhost.
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS local DN="/C=US/CN=localhost"
=== TLS peer DN="/C=US/CN=localhost"
# ...snip
remyabel@instance-1:~$ sudo swaks --protocol smtps -tlsc --tls-cert /etc/exim4/exim.crt --tls-key /etc/exim4/exim.key -q HELO -s localhost:25
=== Trying localhost:25...
=== Connected to localhost.
*** TLS startup failed (connect(): error:1408F10B:SSL routines:ssl3_get_record:wrong version number)

tlsc means TLS on connect. So it demonstrates that it does do TLS on port 465 and refuses to connect on port 25. If we do sudo swaks --protocol smtp -q HELO -s localhost, then it will do unencrypted transport on port 25 if for some reason someone wants to do that.

Note: if swaks refuses to connect, make sure to reconfigure exim4 to listen on 127.0.0.1; ::1 for ipv6.