"virtualmin install-service-cert" missing Postfix support

Submitted by Lucian on Thu, 03/21/2019 - 02:21

Hello,

I have managed to enable LetsEncrypt for a domain and copy its certificate to Dovecot via:

virtualmin install-service-cert --domain some.domain.tld --service dovecot

I'd like to do the same for Postfix, was surprised to get an error instead:

virtualmin install-service-cert --domain some.domain.tld --service postfix
Invalid service postfix. Valid services are usermin webmin dovecot

I thought that was a it funny, so went into SSL certificate management for that particular domain and clicked on the button "Copy to postfix". It worked!

I then went back to the command line and ran again the same command as before:

virtualmin install-service-cert --domain some.domain.tld --service postfix
Copying to service postfix ..
    Copying certificate, key and CA to Postfix files ..
    .. wrote out certificate in /etc/postfix/postfix.cert.pem and key in /etc/postfix/postfix.key.pem

    Enabling SSL in Postfix configuration ..
    .. done

... It would seem that after I ran the CGI version of "copy to postfix" from the UI it has also appeared as an option on the command line.

This is confusing, there's got to be a bug somewhere.

Status: 
Fixed (pending)

Comments

Submitted by JamieCameron on Sat, 03/23/2019 - 12:36

That actually is expected if Postfix wasn't initially setup to support SSL at all - the initial install from the GUI will turn this on, and then you can do per-domain installs.

Submitted by Lucian on Sat, 03/23/2019 - 13:08

Hi,

I am trying to automate all this so logging in the UI for the initial config is a no-go.

Any way I can do the postfix bit from the cli?

Submitted by JamieCameron on Sat, 03/23/2019 - 13:11

In your case, are you trying to setup a Postfix cert just for a single domain, or the default cert for the whole system?

Submitted by Lucian on Sat, 03/23/2019 - 14:34

I am trying to copy the letsencrypt cert from a virtual server and onto postfix, dovecot etc globally. I want that to be the default/main cert for the system, if possible.

Submitted by JamieCameron on Sun, 03/24/2019 - 21:27

Ok, this will be possible in the next Virtualmin release.

Submitted by Lucian on Mon, 03/25/2019 - 05:49

Oh, that's excellent, thanks so much!

Submitted by Jfro on Fri, 04/12/2019 - 03:48

Not ONly that part please fix also default versions and protocols off: Ciphers and exclude to old insecure. TLS versions., Ciphers and., 1024 > 2048 >3072 bit RSA certs and Diffie Hellman

See https://www.virtualmin.com/node/65413

IN above link as Gmail want minimal version not only Gmail and other services also for Websites demanding more up to date for those. ;)

Submitted by JamieCameron on Fri, 04/12/2019 - 11:13

Virtualmin currently disallows use of SSL v2 and v3, but we can also add TLS v1 and v1.1 to that list.

Submitted by Jfro on Fri, 04/12/2019 - 11:22

Please Jamie. Do a fresh CENTOS install. Then have a look at ssllabs.org and https://discovery.cryptosense.com/

For issue's with that all

HTTPD , proftpd, postfix, SSHD, dovecot for example none comes without security issue's

Submitted by JamieCameron on Fri, 04/12/2019 - 17:35

Can you give some more details about the reported security issues, like the exact error messages?

Submitted by Lucian on Fri, 04/12/2019 - 17:47

I am not sure this kind of configurations should fall under the remit of Virtualmin, sounds more what a sysadmin should do.

Submitted by Jfro on Sat, 04/13/2019 - 03:56

Either sysadmin yup if not in Controlpanel and options yes you are right.

I think though documentation from control panels for such should be up to date as here i mean.

https://www.virtualmin.com/documentation/security/pci

Also control panels should have options command line together with up to date docu for that to achive for example PCI compliance. If not possible in control panel UI itself.

Examples is test only clean Updated CENTOS 7 with clean new install virtualmin do folow the test links ( check for ip not blocked by firewall. Also the ssllabs to achiev a A. A plus is ofcourse also possible.

You see not secure and not only non pci compliance and so on after default clean installs. (to old and to outdated docu in help and howto...)

Then every sysadmin can see what to do i think, but it flatter a control panel to have such possible as minimum in updated Documentation for such.

So i know CP's you to?

RC4, 3DES, 1024 diffie hellman, 1024 RSA , support for some anonymouse ciphers, are some of them after installation to fix also TLS 1.0 i presume

Not only syadmins who knowing what they do are using control panels, mostly the even don't use Control panels at all, so a kind of responsible for a secure web and servers you could expect also from Control panel software and their documentation is it not?

The same if you say hmm ( Ok Ok ;) ) buying a car , you have to look yourself for a secure brake system, no there is and should be a secure break system and warning lights and more if something is wrong with that brake system! ( then the dealer/ garage / specialist ofcourse has more knowledge to check and replace if not ok )

So for forum readers and Virtualmin i 'm only saying as kind OFF IMPORTANT TIPP please do check out for those things also, a clean installed virtualmin system is not ready to go in produktion online if not taking care of such!

You can test this forum it say's using apache version 2.4.6, php version 5.6.40 so even such telling/leaking-exposing version info's to public is not a secure way to do things as ..

Sorry i'm Dutch ;) We have here sponsored by Dutch Government this testsite see https://en.internet.nl/site/www.virtualmin.com/509265/ www.virtualmin.com 34% of 100 score

Web server IP address Insecure cipher suites
198.154.100.99 IDEA-CBC-SHA
... ECDHE-RSA-RC4-SHA
... RC4-SHA
... RC4-MD5

https://en.internet.nl/mail/www.virtualmin.com/216390/ mail if it go over virtualmin.com ? 6% of 100 score

I mean it well so please don't be angry with me?

And here for most a C instead of an A, even one with D  that is almost the example i mean Jamie !  https://discovery.cryptosense.com/analyze/virtualmin.com/acc5ea1

Submitted by Jfro on Sat, 04/13/2019 - 04:02

The long list as remediation here for that. See it as kind of for the "meantime manual" for forum visitors for the moment as updated more then Virtualmin documentation itself, please you may ofcourse delete this if ....

For SOFTWARE.VIRTUALMIN.COM : .

Certificate expiration
Trigger The expiration date of this certificate is 2018-08-26 06:18:54.

I put this as reply in this topic while it is on topic with CERT an security for virtualmin, you do not only have the cert for postfix / mailserver global being right, also som more work to do after a fresh installation virtualmin hope it helps some of you to do it right. ;)

Remediation
Remediation R01
OpenSSH < 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following line:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

OpenSSH ≥ 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following line:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,↩
↪aes256-ctr,aes192-ctr,aes128-ctr

Sources

    Mozilla OpenSSH Security Guidelines

Remediation R02
OpenSSH < 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)
OpenSSH ≥ 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following lines (in the same order):

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

(/etc/ssh/ssh_host_dsa_key should not be used because it only has 1024 bits)
Sources

    Mozilla OpenSSH Security Guidelines

Remediation R03
OpenSSH < 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following line:

KexAlgorithms diffie-hellman-group-exchange-sha256

OpenSSH ≥ 6.7

Make sure the configuration file /etc/ssh/sshd_config contains the following line:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,↩
↪ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Sources

    Mozilla OpenSSH Security Guidelines

Remediation R05
Apache < 2.4.7

Make sure the configuration file contains the following lines:

SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305↩
↪:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256↩
↪:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384↩
↪:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA↩
↪:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384↩
↪:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384↩
↪:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA

(this configuration disables DHE cipher suites because those versions of Apache do not support custom Diffie-Hellman parameters)
Apache ≥ 2.4.7

Make sure the configuration file contains the following lines:

SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305↩
↪:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256↩
↪:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384↩
↪:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256↩
↪:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384↩
↪:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA↩
↪:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA↩
↪:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384↩
↪:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA

Nginx

Make sure the configuration file contains the following lines:

ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305↩
↪:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256↩
↪:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384↩
↪:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256↩
↪:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384↩
↪:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA↩
↪:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA↩
↪:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384↩
↪:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA'

Sources

    BetterCrypto.org
    Server Side TLS (wiki.mozilla.org)
    Guide to Deploying Diffie-Hellman for TLS (weakdh.org)

Remediation R06
Dovecot < 2.2

The file conf.d/10-ssl.conf should contain:

ssl_cipher_list = ALL:!kDH:!EDH:-ECDH:EECDH:!DSS:!SRP:!kPSK:!RSAPSK:!eNULL:!RC4↩
↪:!DES:!3DES:!IDEA:!MD5:!EXP:!LOW:+AECDH:+ADH:+SHA1:+CAMELLIA:+SEED:+RSA

(DHE cipher suites are disabled because these versions of Dovecot don't support strong Diffie-Hellman parameters)
Dovecot ≥ 2.2

The file conf.d/10-ssl.conf should contain:

ssl_cipher_list = ALL:!kDH:-ECDH:EECDH:!DSS:!SRP:!kPSK:!RSAPSK:!eNULL:!RC4↩
↪:!DES:!3DES:!IDEA:!MD5:!EXP:!LOW:+AECDH:+ADH:+SHA1:+CAMELLIA:+SEED:+EDH:+RSA

Sources

    BetterCrypto.org
    Dovecot SSL configuration (wiki2.dovecot.org)

Remediation R07
Postfix < 2.6

Make sure you have the following line in main.cf:

smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ALL:!kDH:-ECDH:EECDH:AECDH:!DSS:!SRP:!kPSK:!RSAPSK:!eNULL:!RC4↩
↪:!DES:!3DES:!IDEA:!MD5:!EXP:!LOW:+AECDH:+ADH:+SHA1:+CAMELLIA:+SEED:+EDH:+RSA

These versions of Postfix only allow you to configure the cipher suites used when TLS is mandatory for a connection (e.g. when serving a mail client). For server-to-server mail transfers, that is, when opportunistic encryption is used, all ciphers down to the "export" grade are enabled.
Postfix ≥ 2.6

Make sure you have the following lines in main.cf:

smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ALL:!kDH:-ECDH:EECDH:AECDH:!DSS:!SRP:!kPSK:!RSAPSK:!eNULL:!RC4↩
↪:!DES:!3DES:!IDEA:!MD5:!EXP:!LOW:+AECDH:+ADH:+SHA1:+CAMELLIA:+SEED:+EDH:+RSA

Exim

Make sure you have the following line in the configuration file:

tls_require_ciphers = 'ALL:!kDH:-ECDH:EECDH:AECDH:!DSS:!SRP:!kPSK:!RSAPSK:!eNULL:!RC4↩
↪:!DES:!3DES:!IDEA:!MD5:!EXP:!LOW:+AECDH:+ADH:+SHA1:+CAMELLIA:+SEED:+EDH:+RSA'

Sources

    BetterCrypto.org
    Postfix TLS configuration (www.postfix.org)
    Exim Main Configuration (www.exim.org)

Remediation R09
Dovecot < 2.2

As those versions of Dovecot do not support good enough Diffie-Hellman parameters, it is suggested you disable DHE cipher suites by making sure you have the following line in conf.d/10-ssl.conf:

ssl_cipher_list = ALL:!kDH:!EDH:-ECDH:EECDH:!DSS:!SRP:!kPSK:!RSAPSK:!eNULL:!RC4↩
↪:!DES:!3DES:!IDEA:!MD5:!EXP:!LOW:+AECDH:+ADH:+SHA1:+CAMELLIA:+SEED:+RSA

Dovecot ≥ 2.2

The file conf.d/10-ssl.conf should contain

ssl_dh_parameters_length = 2048

Sources

    BetterCrypto.org
    Dovecot SSL configuration (wiki2.dovecot.org)

Remediation R10
Postfix

Generate custom Diffie-Hellman parameters with:

openssl dhparam -out /path/to/dhparams.pem 2048

The configuration file /etc/postfix/main.cf should contain the line:

smtpd_tls_dh1024_param_file = /path/to/dhparams.pem

Exim

Generate custom Diffie-Hellman parameters with:

openssl dhparam -out /path/to/dhparams.pem 2048

The configuration file should contain the line:

tls_dhparam = /path/to/dhparams.pem

Sources

    Guide to Deploying Diffie-Hellman for TLS (weakdh.org)
    TLS Forward Secrecy in Postfix (www.postfix.org)
    Exim Main Configuration (www.exim.org)

Remediation R13
Apache

In your Apache configuration file, make sure you have the line:

SSLProtocol All -SSLv2 -SSLv3

(both SSLv2 and SSLv3 are considered insecure and should be disabled)
Nginx

The configuration file should contain the line:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

(only TLS protocols are allowed, eliminating SSLv2 and SSLv3)
Sources

    BetterCrypto.org
    Server Side TLS (wiki.mozilla.org)

Remediation R14
Dovecot

The file conf.d/10-ssl.conf should contain

ssl_protocols = !SSLv3 !SSLv2

(both SSLv2 and SSLv3 are considered insecure and should be disabled)
Sources

    BetterCrypto.org
    Dovecot SSL configuration (wiki2.dovecot.org)

Remediation R15
Postfix < 2.5

The configuration file main.cf should contain the following lines:

smtpd_tls_protocols = TLSv1
smtpd_tls_mandatory_protocols = TLSv1

(both SSLv2 and SSLv3 are considered insecure and should be disabled)
Postfix ≥ 2.5

The configuration file main.cf should contain the following lines:

smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

(both SSLv2 and SSLv3 are considered insecure and should be disabled)
Exim

The configuration file should contain the line:

openssl_options = +no_sslv2 +no_sslv3

(both SSLv2 and SSLv3 are considered insecure and should be disabled)
Sources

    BetterCrypto.org
    Postfix TLS configuration (www.postfix.org)
    Exim Main Configuration (www.exim.org)

Submitted by andreychek on Sat, 04/13/2019 - 08:58

We seem to be getting a bit off-topic here... the initial request by Lucian was just about ensuring that an SSL certificate can be copied into Postfix.

That part is completed.

jfro, if you'd like to start a thread about default protocols and ciphers -- as it looks like you're using Virtualmin GPL there, what we'd encourage you to do is start a new Forum thread on that topic.

We do have some contributed documentation on setting up a system to be PCI compliant, which includes modifying those protocols and ciphers, though at this point it's a few years old... but it may be a good starting point:

https://www.virtualmin.com/documentation/security/pci

Submitted by andreychek on Sat, 04/13/2019 - 12:21

Thanks for creating a new thread on the matter!

Submitted by Lucian on Fri, 06/07/2019 - 10:43

Hi,

Hope I'm not annoying anyone, but it's been 2 months. Anyone knows when the fix will be shipped?

Regards, Lucian

Submitted by andreychek on Fri, 06/07/2019 - 11:15

Yeah, we unfortunately haven't had a new Virtualmin release in a few months... you're right though, we have a number of pending features that we'd like to see released soon.

While we unfortunately don't have an ETA at the moment, I'm hopeful that it'll be soon!