From 6e3dee8b3b137e35399fe4f874e012f44c325f9b Mon Sep 17 00:00:00 2001 From: Francesco Montanari Date: Sun, 1 Dec 2019 23:10:04 +0200 Subject: [PATCH 01/10] Upgrade RoundCube to 1.4.1 and set the default skin to elastic (#1673) * Upgrade RoundCube to 1.4.0 and set the default skin to elastic * Install php-ldap extension * Remove smtp parameters that are now the default --- CHANGELOG.md | 4 ++++ setup/webmail.sh | 18 +++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e59bda9..c0c75963 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,14 @@ CHANGELOG Under Development ----------------- +WebMail: +* Set the default Roundcube skin to the new "Elastic" theme. + Software updates: * Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. +* Upgraded Roundcube from 1.3.10 to 1.4.1. Control panel: diff --git a/setup/webmail.sh b/setup/webmail.sh index 6cbe55f9..f44ea047 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -22,14 +22,14 @@ source /etc/mailinabox.conf # load global vars echo "Installing Roundcube (webmail)..." apt_install \ dbconfig-common \ - php-cli php-sqlite3 php-intl php-json php-common php-curl \ + php-cli php-sqlite3 php-intl php-json php-common php-curl php-ldap \ php-gd php-pspell tinymce libjs-jquery libjs-jquery-mousewheel libmagic1 php-mbstring # Install Roundcube from source if it is not already present or if it is out of date. # Combine the Roundcube version number with the commit hash of plugins to track # whether we have the latest version of everything. -VERSION=1.3.10 -HASH=431625fc737e301f9b7e502cccc61e50a24786b8 +VERSION=1.4.1 +HASH=f4ecc63185b8f7b4ce5bccdc9fc689571e82c489 PERSISTENT_LOGIN_VERSION=dc5ca3d3f4415cc41edb2fde533c8a8628a94c76 HTML5_NOTIFIER_VERSION=4b370e3cd60dabd2f428a26f45b677ad1b7118d5 CARDDAV_VERSION=3.0.3 @@ -51,6 +51,13 @@ elif [[ "$UPDATE_KEY" != `cat /usr/local/lib/roundcubemail/version` ]]; then needs_update=1 #NODOC fi if [ $needs_update == 1 ]; then + # if upgrading from 1.3.x, clear the temp_dir + if [ -f /usr/local/lib/roundcubemail/version ]; then + if [ "$(cat /usr/local/lib/roundcubemail/version | cut -c1-3)" == '1.3' ]; then + find /var/tmp/roundcubemail/ -type f ! -name 'RCMTEMP*' -delete + fi + fi + # install roundcube wget_verify \ https://github.com/roundcube/roundcubemail/releases/download/$VERSION/roundcubemail-$VERSION-complete.tar.gz \ @@ -110,9 +117,6 @@ cat > $RCM_CONFIG < array( 'verify_peer' => false, @@ -123,7 +127,7 @@ cat > $RCM_CONFIG < Date: Sun, 1 Dec 2019 22:11:00 +0100 Subject: [PATCH 02/10] Nextcloud 17 (#1676) --- CHANGELOG.md | 2 +- setup/nextcloud.sh | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0c75963..779f13dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ WebMail: Software updates: -* Upgraded Nextcloud from 15.0.8 to 16.0.5 (with Contacts from 3.1.1 to 3.1.4 and Calendar from 1.6.5 to 1.7.1) +* Upgraded Nextcloud from 15.0.8 to 17.0.1 (with Contacts from 3.1.1 to 3.1.6 and Calendar from 1.6.5 to 1.7.1) * Upgraded Z-Push to 2.5.1. * Upgraded Roundcube from 1.3.10 to 1.4.1. diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index d2a4a0ce..9ec7ff14 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -40,7 +40,7 @@ InstallNextcloud() { # their github repositories. mkdir -p /usr/local/lib/owncloud/apps - wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.4/contacts.tar.gz 297cb38c0ba9ba7ad7b8b61108033af8d7eccd96 /tmp/contacts.tgz + wget_verify https://github.com/nextcloud/contacts/releases/download/v3.1.6/contacts.tar.gz d331dc6db2ecf7c8e6166926a055dfa3b59722c3 /tmp/contacts.tgz tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/ rm /tmp/contacts.tgz @@ -91,8 +91,8 @@ InstallNextcloud() { } # Nextcloud Version to install. Checks are done down below to step through intermediate versions. -nextcloud_ver=16.0.5 -nextcloud_hash=46e8ec989de9aad9967a5a54ddb84ce8b8e2c54c +nextcloud_ver=17.0.1 +nextcloud_hash=81e47f2288377927346a4b4cbbb2ecf1b6f4a0e1 # Current Nextcloud Version, #1623 # Checking /usr/local/lib/owncloud/version.php shows version of the Nextcloud application, not the DB @@ -151,6 +151,10 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc InstallNextCloud 15.0.8 4129d8d4021c435f2e86876225fb7f15adf764a3 CURRENT_NEXTCLOUD_VER="15.0.8" fi + if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^15 ]]; then + InstallNextCloud 16.0.6 0bb3098455ec89f5af77a652aad553ad40a88819 + CURRENT_NEXTCLOUD_VER="16.0.6" + fi fi InstallNextcloud $nextcloud_ver $nextcloud_hash From 52c68c65104a0115f18d0129a8be7442c54bee70 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 1 Dec 2019 22:13:33 +0100 Subject: [PATCH 03/10] Implement Nextcloud php-fpm recommended performance tuning settings (#1679) --- setup/nextcloud.sh | 4 ---- setup/web.sh | 44 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh index 9ec7ff14..af47a062 100755 --- a/setup/nextcloud.sh +++ b/setup/nextcloud.sh @@ -303,10 +303,6 @@ tools/editconf.py /etc/php/7.2/cli/conf.d/10-opcache.ini -c ';' \ opcache.save_comments=1 \ opcache.revalidate_freq=1 -# Configure the path environment for php-fpm -tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ - env[PATH]=/usr/local/bin:/usr/bin:/bin - # If apc is explicitly disabled we need to enable it if grep -q apc.enabled=0 /etc/php/7.2/mods-available/apcu.ini; then tools/editconf.py /etc/php/7.2/mods-available/apcu.ini -c ';' \ diff --git a/setup/web.sh b/setup/web.sh index ed37e5e3..a5720224 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -48,13 +48,47 @@ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \ default_charset="UTF-8" -# Switch from the dynamic process manager to the ondemand manager see #1216 +# Configure the path environment for php-fpm tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ - pm=ondemand + env[PATH]=/usr/local/bin:/usr/bin:/bin \ -# Bump up PHP's max_children to support more concurrent connections -tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ - pm.max_children=8 +# Configure php-fpm based on the amount of memory the machine has +# This is based on the nextcloud manual for performance tuning: https://docs.nextcloud.com/server/17/admin_manual/installation/server_tuning.html +# Some synchronisation issues can occur when many people access the site at once. +# The pm=ondemand setting is used for memory constrained machines < 2GB, this is copied over from PR: 1216 +TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true) +if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ] +then + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=ondemand \ + pm.max_children=8 \ + pm.start_servers=2 \ + pm.min_spare_servers=1 \ + pm.max_spare_servers=3 +elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ] +then + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=ondemand \ + pm.max_children=16 \ + pm.start_servers=4 \ + pm.min_spare_servers=1 \ + pm.max_spare_servers=6 +elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ] +then + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=dynamic \ + pm.max_children=60 \ + pm.start_servers=6 \ + pm.min_spare_servers=3 \ + pm.max_spare_servers=9 +else + tools/editconf.py /etc/php/7.2/fpm/pool.d/www.conf -c ';' \ + pm=dynamic \ + pm.max_children=120 \ + pm.start_servers=12 \ + pm.min_spare_servers=6 \ + pm.max_spare_servers=18 +fi # Other nginx settings will be configured by the management service # since it depends on what domains we're serving, which we don't know From 802e7a1f4d315a1bd10c1dfae259f6779f940ed0 Mon Sep 17 00:00:00 2001 From: Carl Reinke Date: Sun, 1 Dec 2019 14:15:04 -0700 Subject: [PATCH 04/10] Copy systemd service files before linking to avoid issue with order of mounting filesystems (#1688) --- setup/management.sh | 3 ++- setup/munin.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/management.sh b/setup/management.sh index 3a6e187b..e4fd75da 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -93,7 +93,8 @@ source $venv/bin/activate exec python `pwd`/management/daemon.py EOF chmod +x $inst_dir/start -hide_output systemctl link -f conf/mailinabox.service +cp -f conf/mailinabox.service /lib/systemd/system/mailinabox.service +hide_output systemctl link -f /lib/systemd/system/mailinabox.service hide_output systemctl daemon-reload hide_output systemctl enable mailinabox.service diff --git a/setup/munin.sh b/setup/munin.sh index df7af601..9bb19472 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -64,7 +64,8 @@ mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh -hide_output systemctl link -f conf/munin.service +cp -f conf/munin.service /lib/systemd/system/munin.service +hide_output systemctl link -f /lib/systemd/system/munin.service hide_output systemctl daemon-reload hide_output systemctl unmask munin.service hide_output systemctl enable munin.service From 960b5d5bbddd469f77f91540b35980ce026ff46b Mon Sep 17 00:00:00 2001 From: Carl Reinke Date: Sun, 1 Dec 2019 14:21:38 -0700 Subject: [PATCH 05/10] Don't use ifquery to check interface state since it is no longer installed (#1689) --- setup/munin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/munin.sh b/setup/munin.sh index 9bb19472..b052ef0f 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -53,7 +53,7 @@ find /etc/munin/plugins/ -lname /usr/share/munin/plugins/ntp_ -print0 | xargs -0 # Deactivate monitoring of network interfaces that are not up. Otherwise we can get a lot of empty charts. for f in $(find /etc/munin/plugins/ \( -lname /usr/share/munin/plugins/if_ -o -lname /usr/share/munin/plugins/if_err_ -o -lname /usr/share/munin/plugins/bonding_err_ \)); do IF=$(echo $f | sed s/.*_//); - if ! ifquery $IF >/dev/null 2>/dev/null; then + if ! grep -qFx up /sys/class/net/$IF/operstate 2>/dev/null; then rm $f; fi; done From 81176c8e4b499874883b1936da06117c3e32dce2 Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Sun, 1 Dec 2019 13:22:17 -0800 Subject: [PATCH 06/10] Fix to prevent multiple commented entries in dovecot conf (#1642) --- setup/mail-dovecot.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index c3d2ee57..d0498ab2 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -87,8 +87,8 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_protocols=!SSLv3" \ "ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \ - "ssl_prefer_server_ciphers = yes" \ - "ssl_dh_parameters_length = 2048" + "ssl_prefer_server_ciphers=yes" \ + "ssl_dh_parameters_length=2048" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit # login credentials outside of an encrypted connection. Only the over-TLS versions From aa15670dc24e885a44dfcf67b93845f78eed7e3b Mon Sep 17 00:00:00 2001 From: jvolkenant Date: Sun, 1 Dec 2019 13:23:02 -0800 Subject: [PATCH 07/10] Fixed multiple commented add_header entries in /etc/spamassassin/local.cf (#1641) --- setup/spamassassin.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/spamassassin.sh b/setup/spamassassin.sh index 148cfd0b..d6c8b83b 100755 --- a/setup/spamassassin.sh +++ b/setup/spamassassin.sh @@ -64,8 +64,8 @@ tools/editconf.py /etc/default/spampd \ # the X-Spam-Status & X-Spam-Score mail headers and related headers. tools/editconf.py /etc/spamassassin/local.cf -s \ report_safe=0 \ - add_header="all Report _REPORT_" \ - add_header="all Score _SCORE_" + "add_header all Report"=_REPORT_ \ + "add_header all Score"=_SCORE_ # Bayesean learning # ----------------- From ad9d7326083090f0c2a57ed727b2d82722190264 Mon Sep 17 00:00:00 2001 From: Vasek Sraier Date: Sun, 1 Dec 2019 22:24:38 +0100 Subject: [PATCH 08/10] OpenDKIM canonicalization changed to relaxed for mail headers (#1620) Because Mailman reformats headers it breaks DKIM signatures. SPF also does not apply in mailing lists. This together causes DMARC to fail and mark the email as invalid. This fixes DKIM signatures for Mailman-based mailing lists and makes sure DMARC test is passed. --- setup/dkim.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/dkim.sh b/setup/dkim.sh index dc7e51e2..5bd32370 100755 --- a/setup/dkim.sh +++ b/setup/dkim.sh @@ -31,6 +31,7 @@ if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then else # Add various configuration options to the end of `opendkim.conf`. cat >> /etc/opendkim.conf << EOF; +Canonicalization relaxed/simple MinimumKeyBits 1024 ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts From 8567a9b71905a32f021d124112eaa230fa933469 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 1 Dec 2019 17:43:56 -0500 Subject: [PATCH 09/10] Fix upgrade issue broken by 802e7a1f4d315a1bd10c1dfae259f6779f940ed0 --- setup/management.sh | 2 +- setup/munin.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/management.sh b/setup/management.sh index e4fd75da..3caf8eea 100755 --- a/setup/management.sh +++ b/setup/management.sh @@ -93,7 +93,7 @@ source $venv/bin/activate exec python `pwd`/management/daemon.py EOF chmod +x $inst_dir/start -cp -f conf/mailinabox.service /lib/systemd/system/mailinabox.service +cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first hide_output systemctl link -f /lib/systemd/system/mailinabox.service hide_output systemctl daemon-reload hide_output systemctl enable mailinabox.service diff --git a/setup/munin.sh b/setup/munin.sh index b052ef0f..6799cad6 100755 --- a/setup/munin.sh +++ b/setup/munin.sh @@ -64,7 +64,7 @@ mkdir -p /var/lib/munin-node/plugin-state/ # Create a systemd service for munin. ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh chmod 0744 /usr/local/lib/mailinabox/munin_start.sh -cp -f conf/munin.service /lib/systemd/system/munin.service +cp --remove-destination conf/munin.service /lib/systemd/system/munin.service # target was previously a symlink so remove first hide_output systemctl link -f /lib/systemd/system/munin.service hide_output systemctl daemon-reload hide_output systemctl unmask munin.service From f53b18ebb9b1c4c9aba95b3a26bee2be85f8002f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sun, 1 Dec 2019 17:49:36 -0500 Subject: [PATCH 10/10] Upgrade TLS settings --- CHANGELOG.md | 4 ++++ conf/nginx-ssl.conf | 2 +- security.md | 6 +++--- setup/mail-dovecot.sh | 11 +++++------ setup/mail-postfix.sh | 30 ++++++++++++++++++++---------- setup/web.sh | 7 ++++++- 6 files changed, 39 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 779f13dc..f7e1e870 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ CHANGELOG Under Development ----------------- +System: + +* TLS settings have been upgraded following Mozilla's recommendations for servers. TLS1.2 and 1.3 are now the only supported protocols for web, IMAP, and SMTP (submission). + WebMail: * Set the default Roundcube skin to the new "Elastic" theme. diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 1aba45c3..621973df 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,7 +1,7 @@ # We track the Mozilla "intermediate" compatibility TLS recommendations. # Note that these settings are repeated in the SMTP and IMAP configuration. # ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols. -ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html diff --git a/security.md b/security.md index b8dc35af..bc980808 100644 --- a/security.md +++ b/security.md @@ -39,9 +39,9 @@ These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_La The services all follow these rules: * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh)) -* Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered). -* HTTPS, IMAP, and POP track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt). -* SMTP (port 25) uses the Postfix medium grade ciphers and SMTP Submission (port 587) uses the Postfix high grade ciphers ([more info](http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers)). +* Only TLSv1.2+ are offered (the older SSL protocols are not offered). +* We track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt). +* SMTP port 25 (inbound) follows similar rules. Outbound SMTP (i.e. the server is the client) uses more relaxed settings. Additionally: diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index d0498ab2..0926ce9a 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -78,16 +78,15 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ "auth_mechanisms=plain login" # Enable SSL, specify the location of the SSL certificate and private key files. -# Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. -# Enable strong ssl dh parameters - +# Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1, +# except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2. tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ - "ssl_protocols=!SSLv3" \ - "ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" \ - "ssl_prefer_server_ciphers=yes" \ + "ssl_protocols=TLSv1.2" \ + "ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ + "ssl_prefer_server_ciphers=no" \ "ssl_dh_parameters_length=2048" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index 75e09a11..695884ea 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -80,7 +80,6 @@ tools/editconf.py /etc/postfix/main.cf \ # OpenDKIM milter only. See dkim.sh. # * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant # send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration. -# * Require the best ciphers for incoming connections per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. # By putting this setting here we leave opportunistic TLS on incoming mail at default cipher settings (any cipher is better than none). # * Give it a different name in syslog to distinguish it from the port 25 smtpd server. # * Add a new cleanup service specific to the submission service ('authclean') @@ -93,7 +92,6 @@ tools/editconf.py /etc/postfix/master.cf -s -w \ -o syslog_name=postfix/submission -o smtpd_milters=inet:127.0.0.1:8891 -o smtpd_tls_security_level=encrypt - -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 -o cleanup_service_name=authclean" \ "authclean=unix n - - - 0 cleanup -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters @@ -111,17 +109,23 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters # Enable TLS on these and all other connections (i.e. ports 25 *and* 587) and # require TLS before a user is allowed to authenticate. This also makes # opportunistic TLS available on *incoming* mail. -# Set stronger DH parameters, which via openssl tend to default to 1024 bits -# (see ssl.sh). +# Set stronger DH parameters, which via openssl tend to default to 1024 bits. +# Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1 +# (but use and override the "high" cipher list so we don't conflict with the +# more permissive settings for outgoing mail). tools/editconf.py /etc/postfix/main.cf \ smtpd_tls_security_level=may\ smtpd_tls_auth_only=yes \ smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \ smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \ smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \ - smtpd_tls_protocols=\!SSLv2,\!SSLv3 \ - smtpd_tls_ciphers=medium \ - smtpd_tls_exclude_ciphers=aNULL,RC4 \ + smtpd_tls_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtpd_tls_ciphers=high \ + smtpd_tls_mandatory_ciphers=high \ + smtpd_tls_exclude_ciphers= \ + tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \ + tls_preempt_cipherlist=no \ smtpd_tls_received_header=yes # Prevent non-authenticated users from sending mail that requires being @@ -143,8 +147,12 @@ tools/editconf.py /etc/postfix/main.cf \ # offers it, otherwise it will transmit the message in the clear. Postfix will # accept whatever SSL certificate the remote end provides. Opportunistic TLS # protects against passive easvesdropping (but not man-in-the-middle attacks). +# Since we'd rather have poor encryption than none at all, we use Mozilla's +# "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1 +# for opportunistic encryption but "Intermediate" recommendations when DANE +# is used (see next and above). + # DANE takes this a step further: -# # Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found, # then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records # or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC @@ -157,11 +165,13 @@ tools/editconf.py /etc/postfix/main.cf \ # now see notices about trusted certs. The CA file is provided by the package `ca-certificates`. tools/editconf.py /etc/postfix/main.cf \ smtp_tls_protocols=\!SSLv2,\!SSLv3 \ - smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3 \ smtp_tls_ciphers=medium \ - smtp_tls_exclude_ciphers=aNULL,RC4 \ + tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \ + smtp_tls_exclude_ciphers= \ smtp_tls_security_level=dane \ smtp_dns_support_level=dnssec \ + smtp_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + smtp_tls_mandatory_ciphers=high \ smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt \ smtp_tls_loglevel=2 diff --git a/setup/web.sh b/setup/web.sh index a5720224..e6aac6ef 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -31,14 +31,19 @@ sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ conf/nginx-ssl.conf > /etc/nginx/conf.d/ssl.conf # Fix some nginx defaults. +# # The server_names_hash_bucket_size seems to prevent long domain names! # The default, according to nginx's docs, depends on "the size of the # processor’s cache line." It could be as low as 32. We fixed it at # 64 in 2014 to accommodate a long domain name (20 characters?). But # even at 64, a 58-character domain name won't work (#93), so now # we're going up to 128. +# +# Drop TLSv1.0, TLSv1.1, following the Mozilla "Intermediate" recommendations +# at https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&openssl-version=1.1.1. tools/editconf.py /etc/nginx/nginx.conf -s \ - server_names_hash_bucket_size="128;" + server_names_hash_bucket_size="128;" \ + ssl_protocols="TLSv1.2 TLSv1.3;" # Tell PHP not to expose its version number in the X-Powered-By header. tools/editconf.py /etc/php/7.2/fpm/php.ini -c ';' \