25 May
2021
25 May
'21
3:35 p.m.
Hello,
Our security department scanned the ciphermail gateway and is seeing issues that need to
be fixed:
* I've replaced the web GUI certificate (done that many times), but the old
certificate appears still to be in use for SMTP. This certificate is now expired.
How can the MTA be configured to use the new certificate?
* I'm using an appliance VM image (V4.3.0-1, with the latest updates), and it is
still using TLS1.0/1.1, SSLv3 and RC4 cipher suites
How can those old protocols/ciphers be disabled?
More issues are found, but I'll focus on these issues first.
Met vriendelijke groet / Regards,
Michel Erdmann
25 May
25 May
4:27 p.m.
I’ve replaced the web GUI certificate (done that many
times), but
the old certificate appears still to be in use for SMTP. This
certificate is now expired.
How can the MTA be configured to use the new certificate?
The community edition of the virtual appliance does not support
uploading a new cert for the MTA (the pro/enterprise edition has
support for this). So you, or someone else, probably uploaded and
configured the cert manually. Since the underlying SMTP is postfix, it
should be easy to replace the certificate.
Note: in the upcoming release of the community edition we also copy the
cert for the web GUI to the postfix config.
I’m using an appliance VM image (V4.3.0-1, with the
latest updates),
and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites
How can those old protocols/ciphers be disabled?
It should be noted that Postfix (and SMTP in general) by default
provides opportunistic TLS, i.e., use TLS if available, if not connect
with TLS. Disabling weak ciphers does not increase the security level
if you still allow unencrypted connections (when DANE is used things
are different). That said, since Postfix is used for the MTA part, you
can easily disable weak ciphers.
For example to disable TLS <= 1.1 add the following line to te postfix
main config (main.cf)
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
The above configuration disables TLS <= 1.1 for the SMTP daemon
If you would like to disable weak ciphermail for the SMTP client, use
smtp_tls_mandatory_protocols
Again, disabling weak ciphers might result in fallback to *no* TLS if
the SMTP server you are connecting to does not support TLS >= 1.2
For more information on TLS configuration of Postfix see:
http://www.postfix.org/TLS_README.html
For the upcoming release of the gateway we will review the default TLS
configuration.
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger
On Tue, 2021-05-25 at 13:35 +0000, m.erdmann--- via Users wrote:
> Hello,
>
> Our security department scanned the ciphermail gateway and is seeing
> issues that need to be fixed:
>
I’ve replaced the web GUI certificate (done that many
times), but
the old certificate appears still to be in use for SMTP. This
certificate is now expired.
How can the MTA be configured to use the new certificate?
I’m using an appliance VM image (V4.3.0-1, with the
latest updates),
and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites
How can those old protocols/ciphers be disabled?
>
> More issues are found, but I’ll focus on these issues first.
>
> Met vriendelijke groet / Regards,
>
> Michel Erdmann
>
26 May
26 May
1:26 p.m.
Martijn,
Thanks for the reminder, I did indeed already configure the previous certificate manually
in now reconfigured postfix to use the new one.
I also made many changes to the protocols and ciphers used by the smtp deamon and client,
so only Tls1.2 with strong ciphers is available now.
(our Ciphermail is 'inbetween' smtp server in our own network, so no unpredicted
fallback to *no* TLS would occur, but it is also unavailable now).
One last item from the Security Scan remains: a vulnerable version of JQuery seems to be
installed in the appliance VM.
The remote web server is affected by multiple cross site scripting vulnerability.
Description
According to the self-reported version in the script, the version of JQuery hosted on the
remote web server is greater than or equal to 1.2 and prior to 3.5.0.
It is, therefore, affected by multiple cross site scripting vulnerabilities.
Can this be fixed?
Met vriendelijke groet / Regards,
Michel Erdmann
-----Original Message-----
From: Martijn Brinkers <martijn(a)ciphermail.com>
Sent: dinsdag 25 mei 2021 16:27
To: users(a)lists.ciphermail.com
Cc: Erdmann, M. (LISA) <m.erdmann(a)utwente.nl>
Subject: Re: [CipherMail User] Security scans, changes needed
I’ve replaced the web GUI certificate (done that many
times), but the
old certificate appears still to be in use for SMTP. This certificate
is now expired.
How can the MTA be configured to use the new certificate?
The community edition of the virtual appliance does not support uploading a new cert for
the MTA (the pro/enterprise edition has support for this). So you, or someone else,
probably uploaded and configured the cert manually. Since the underlying SMTP is postfix,
it should be easy to replace the certificate.
Note: in the upcoming release of the community edition we also copy the cert for the web
GUI to the postfix config.
I’m using an appliance VM image (V4.3.0-1, with the
latest updates),
and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites How can
those old protocols/ciphers be disabled?
It should be noted that Postfix (and SMTP in general) by default provides opportunistic
TLS, i.e., use TLS if available, if not connect with TLS. Disabling weak ciphers does not
increase the security level if you still allow unencrypted connections (when DANE is used
things are different). That said, since Postfix is used for the MTA part, you can easily
disable weak ciphers.
For example to disable TLS <= 1.1 add the following line to te postfix main config
(main.cf)
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
The above configuration disables TLS <= 1.1 for the SMTP daemon
If you would like to disable weak ciphermail for the SMTP client, use
smtp_tls_mandatory_protocols
Again, disabling weak ciphers might result in fallback to *no* TLS if the SMTP server you
are connecting to does not support TLS >= 1.2
For more information on TLS configuration of Postfix see:
http://www.postfix.org/TLS_README.html
For the upcoming release of the gateway we will review the default TLS configuration.
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF Messenger and Webmail Messenger
On Tue, 2021-05-25 at 13:35 +0000, m.erdmann--- via Users wrote:
> Hello,
>
> Our security department scanned the ciphermail gateway and is seeing
> issues that need to be fixed:
>
I’ve replaced the web GUI certificate (done that many
times), but the
old certificate appears still to be in use for SMTP. This certificate
is now expired.
How can the MTA be configured to use the new certificate?
I’m using an appliance VM image (V4.3.0-1, with the
latest updates),
and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites How can
those old protocols/ciphers be disabled?
>
> More issues are found, but I’ll focus on these issues first.
>
> Met vriendelijke groet / Regards,
>
> Michel Erdmann
>
31 May
31 May
2:22 p.m.
One last item from the Security Scan remains: a
vulnerable version of
JQuery seems to be installed in the appliance VM.
The remote web server is affected by multiple cross site
scripting vulnerability.
Description
According to the self-reported version in the script, the
version of JQuery hosted on the remote web server is greater than or
equal to 1.2 and prior to 3.5.0.
It is, therefore, affected by multiple cross site scripting
vulnerabilities.
The gateway makes limited use of Javascript and does not use client
side generated HTML. We therefore believe that issues with jquery
cannot be misused with the gateway. That said, in the upcoming release,
which will be released real soon, we have fixed all know jquery CVE
issues by patching jquery. The version will report v1.12.4 patch
26052021, i.e., still version 1.12.4 but with patches applied.
Note that a lot of high profiles sites still use 1.12.4 like for
example Stackoverflow (https://stackoverflow.com/).
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger
One last item from the Security Scan remains: a
vulnerable version of
JQuery seems to be installed in the appliance VM.
The remote web server is affected by multiple cross site
scripting vulnerability.
Description
According to the self-reported version in the script, the
version of JQuery hosted on the remote web server is greater than or
equal to 1.2 and prior to 3.5.0.
It is, therefore, affected by multiple cross site scripting
vulnerabilities.
>
> Can this be fixed?
>
> Met vriendelijke groet / Regards,
>
> Michel Erdmann
>
>
> -----Original Message-----
> From: Martijn Brinkers <martijn(a)ciphermail.com>
> Sent: dinsdag 25 mei 2021 16:27
> To: users(a)lists.ciphermail.com
> Cc: Erdmann, M. (LISA) <m.erdmann(a)utwente.nl>
> Subject: Re: [CipherMail User] Security scans, changes needed
>
> > I’ve replaced the web GUI certificate (done that many times), but
> > the
> > old certificate appears still to be in use for SMTP. This
> > certificate
> > is now expired.
> > How can the MTA be configured to use the new certificate?
>
> The community edition of the virtual appliance does not support
> uploading a new cert for the MTA (the pro/enterprise edition has
> support for this). So you, or someone else, probably uploaded and
> configured the cert manually. Since the underlying SMTP is postfix,
> it should be easy to replace the certificate.
>
> Note: in the upcoming release of the community edition we also copy
> the cert for the web GUI to the postfix config.
>
> > I’m using an appliance VM image (V4.3.0-1, with the latest
> > updates),
> > and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites How
> > can
> > those old protocols/ciphers be disabled?
>
> It should be noted that Postfix (and SMTP in general) by default
> provides opportunistic TLS, i.e., use TLS if available, if not
> connect with TLS. Disabling weak ciphers does not increase the
> security level if you still allow unencrypted connections (when DANE
> is used things are different). That said, since Postfix is used for
> the MTA part, you can easily disable weak ciphers.
>
> For example to disable TLS <= 1.1 add the following line to te
> postfix main config (main.cf)
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> The above configuration disables TLS <= 1.1 for the SMTP daemon
>
> If you would like to disable weak ciphermail for the SMTP client, use
>
> smtp_tls_mandatory_protocols
>
> Again, disabling weak ciphers might result in fallback to *no* TLS if
> the SMTP server you are connecting to does not support TLS >= 1.2
>
> For more information on TLS configuration of Postfix see:
>
> http://www.postfix.org/TLS_README.html
>
>
> For the upcoming release of the gateway we will review the default
> TLS configuration.
>
> Kind regards,
>
> Martijn Brinkers
>
>
> --
> CipherMail email encryption
> Email encryption with support for S/MIME, OpenPGP, PDF Messenger and
> Webmail Messenger
>
> On Tue, 2021-05-25 at 13:35 +0000, m.erdmann--- via Users wrote:
> > Hello,
> >
> > Our security department scanned the ciphermail gateway and is
> > seeing
> > issues that need to be fixed:
> >
> > I’ve replaced the web GUI certificate (done that many times), but
> > the
> > old certificate appears still to be in use for SMTP. This
> > certificate
> > is now expired.
> > How can the MTA be configured to use the new certificate?
> > I’m using an appliance VM image (V4.3.0-1, with the latest
> > updates),
> > and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites How
> > can
> > those old protocols/ciphers be disabled?
> >
> > More issues are found, but I’ll focus on these issues first.
> >
> > Met vriendelijke groet / Regards,
> >
> > Michel Erdmann
> >
>
>
350
days inactive
356
days old
3 comments
2 participants
participants (2)
-
m.erdmann@utwente.nl -
Martijn Brinkers