Perfect Forward Secrecy (PFS) für die Mehrzahl der Clients

Mo Jan 25 09:31:28 CET 2016

Am Sonntag, 24. Januar 2016, 20:01:12 schrieb Werner Flamme:
> Warum? Übersehe ich in dem Beitrag die Stelle, wo die ECDHE-Ciphers
> vorgeschrieben werden?
> 
> Ich setze viele SLES 11 ein, genau nach dem beschriebenen Verfahren, und
> es klappt bei denen mit DHE, weil deren altes openssl noch kein ECDHE
> kann. Clients, die ECDHE können, werden auch so bedient, andere Clients
> nehmen eben schwächere Verschlüsselung. Siehe auch den Schlussabsatz des
> Beitrags...

Mich hat einmal das hier "und alte Softwareversionen greifen dabei nicht immer 
auf DHE-VErfahren zurück" stutzig gemacht und die Unfähigkeit mein K at Mail Pro 
unter Android 4.3 mit dem Mail-Server zu verbinden.

Ich habe das bis jetzt mehrmals ausprobiert und bei dem Namen und Passwort 
mache ich sicherlich nicht mehrmals die gleichen Fehler, zumal Loginname und 
Passwort mit meinem Mailclient Kmail funktionieren.

Vielleicht klärt sich das auf und ich mache etwas falsch beim Einstellen auf 
Android 4.3.
Hier stelle ich ein
Sicherheitstyp: STARTTLS(immer) 
Authentifizierungsmethode: PLAIN
Port: 587
bzw. Empfang
Sicherheitstyp: SSL/TLS(immer)
Authentifizierungsmethode: PLAIN

Meldung von K at Mail Pro:
"Verbindung zumServer nicht möglich. (Negative SMTP reply: 535 5.7.8 Error 
authentication failed: UGFzc3dvcmQ6)"

/var/log/mail.log
Jan 25 08:56:29 mail postfix/smtpd[10707]: connect from p5DE789E0.dip0.t-
ipconnect.de[92.131.132.114]
Jan 25 08:56:30 mail postfix/smtpd[10707]: Anonymous TLS connection established 
from p5de789e0.dip0.t-ipconnect.de[92.131.132.114]: TLSv1.2 with cipher DHE-
RSA-AES256-SHA (256/256 bits)
Jan 25 08:56:32 mail postfix/smtpd[10707]: warning: p5DE789E0.dip0.t-
ipconnect.de[92.131.132.114]: SASL PLAIN authentication failed:
Jan 25 08:56:38 mail postfix/smtpd[10707]: warning: p5DE789E0.dip0.t-
ipconnect.de[92.131.132.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Wobei sich 
echo "UGFzc3dvcmQ6" | base64 -d
zu 'Password:' decodiert.

Und analog beim Empfang die Logfiles:

/var/log/dovecot/dovecot-debug.log
2016-01-25 09:04:01 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
used for ECDH and ECDHE key exchanges
2016-01-25 09:04:01 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
used for ECDH and ECDHE key exchanges
2016-01-25 09:04:01 auth: Debug: auth client connected (pid=10760)
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2002, ret=-1: unknown 
state [92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2002, ret=-1: unknown 
state [92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2001, ret=1: unknown state 
[92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [92.131.132.114]
2016-01-25 09:04:01 imap-login: Debug: SSL: where=0x2002, ret=1: SSL 
negotiation finished successfully [92.131.132.114]
2016-01-25 09:04:01 auth: Debug: client in: AUTH        1       PLAIN   
service=imap    secured session=6mkFAyQq4QBd54ng        lip=192.168.1.2 
rip=92.131.132.114      lport=993   rport=45537      resp=<hidden>
2016-01-25 09:04:01 auth-worker(10762): Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/auth
2016-01-25 09:04:01 auth-worker(10762): Debug: Module loaded: 
/usr/lib/dovecot/modules/auth/libdriver_mysql.so
2016-01-25 09:04:01 auth-worker(10762): Debug: 
sql(andreas at example.com,92.131.132.114): query: SELECT password FROM mailbox 
WHERE username = 'andreas at example.com'
2016-01-25 09:04:03 auth: Debug: client passdb out: FAIL        1       
user=andreas at example.com
2016-01-25 09:04:03 imap-login: Debug: SSL alert: close notify 
[92.131.132.114]
2016-01-25 09:04:03 imap-login: Debug: SSL alert: close notify 
[92.131.132.114]

 /var/log/dovecot/dovecot-info.log
2016-01-25 09:04:01 auth-worker(10762): Info: 
sql(andreas at example.com,92.131.132.114): unknown user
2016-01-25 09:04:03 imap-login: Info: Disconnected (auth failed, 1 attempts in 
2 secs): user=<andreas at example.com>, method=PLAIN, rip=92.131.132.114, 
lip=192.168.1.2, TLS, TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

Meldung von K at Mail Pro:
"Benutzername oder Kennwort fehlerhaft. (Command: *sensitive*;response: #1[NO, 
[AUTHENTICATIONFAILED], Authentication failed:])"

Meine Konfiguration gestaltet sich wie folgt:

# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.3 
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
debug_log_path = /var/log/dovecot/dovecot-debug.log
dict {
  sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf
}
info_log_path = /var/log/dovecot/dovecot-info.log
listen = *,[::]
log_path = /var/log/dovecot/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_debug = yes
mail_fsync = always
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = quota acl
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
mmap_disable = yes
namespace {
  list = yes
  location = maildir:%%h/:INDEXPVT=~/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Archiv {
    special_use = \Archive
  }
  mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Archives {
    special_use = \Archive
  }
  mailbox "Deleted Messages" {
    special_use = \Trash
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Entwürfe {
    special_use = \Drafts
  }
  mailbox "Gelöschte Objekte" {
    special_use = \Trash
  }
  mailbox Gesendet {
    special_use = \Sent
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Papierkorb {
    special_use = \Trash
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
}
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
plugin {
  acl = vfile
  acl_anyone = allow
  acl_shared_dict = file:/var/vmail/shared-mailboxes.db
  quota = dict:User quota::proxy::sqlquota
  quota_rule2 = Trash:storage=+100%%
  sieve = /var/vmail/sieve/%u.sieve
  sieve_after = /var/vmail/sieve/global.sieve
  sieve_max_script_size = 1M
  sieve_quota_max_scripts = 0
  sieve_quota_max_storage = 0
}
protocols = imap sieve lmtp pop3
service auth {
  unix_listener /var/spool/postfix/private/auth_dovecot {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    mode = 0600
    user = vmail
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = root
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
  user = vmail
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 2
  service_count = 1
  vsz_limit = 128 M
}
service managesieve {
  process_limit = 256
}
ssl_cert = </etc/ssl/private/mail.example.com.crt
ssl_cipher_list = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:
+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!
3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-
SHA:CAMELLIA128-SHA:AES128-SHA
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/mail.example.com.key
ssl_protocols = !SSLv3 !SSLv2
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
verbose_ssl = yes
protocol imap {
  mail_plugins = quota imap_quota imap_acl acl
}
protocol lmtp {
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugins = quota sieve acl
  postmaster_address = postmaster at example.com
}
protocol sieve {
  managesieve_logout_format = bytes=%i/%o
}
remote 127.0.0.1 {
  disable_plaintext_auth = no
}

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maximal_backoff_time = 1800s
maximal_queue_lifetime = 1d
message_size_limit = 26214400
milter_default_action = accept
milter_protocol = 6
minimal_backoff_time = 300s
mydestination = mail.example.com, localhost.example.com, localhost
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 
dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 
bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 
dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 
dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 
dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[10;11]*8 
zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 
zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 
hostkarma.junkemailfilter.com=127.0.0.4*1 
hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.
[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$smtpd_sender_login_maps
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
relayhost =
smtp_header_checks = pcre:/etc/postfix/anonymize_headers.pcre
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
smtp_tls_key_file = /etc/ssl/mail/mail.key
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_proxy_timeout = 600s
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, 
reject_unknown_reverse_client_hostname, reject_unauth_destination
smtpd_restriction_classes = z1_greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth_dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, 
permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, 
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/mail.example.com.crt
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_key_file = /etc/ssl/private/mail.example.com.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:
+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!
3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-
SHA:CAMELLIA128-SHA:AES128-SHA
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
z1_greylisting = permit_dnswl_client list.dnswl.org, check_policy_service 
inet:127.0.0.1:10023

Wie gesagt, vielleicht mache auch ich etwas falsch. Jedenfalls bin ich davon 
ausgegangen, dass Android 4.3 das Verfahren noch nicht beherrscht.

Grüße

Andreas
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20160125/bef45bb7/attachment.html>