Security Scan and TLS issues

[jshapiro2]

Hello All,

No matter what I try I keep getting three security issues when scanning the server.
1. Email Service Supports Unencrypted Authentication
The remote SMTP server accepts logins via the following cleartext authentication mechanisms over unencrypted connections:
PLAIN
LOGIN
The remote SMTP server supports the 'STARTTLS' command but isn't enforcing the use of it for the cleartext authentication mechanisms.

2. TLS Renegotiation Denial of Service Possible
The following indicates that the remote SSL/TLS service is affected:
Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection

TLSv1.1 | 10
TLSv1.2 | 10

3. Vulnerable TLS Protocol Version
SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection
CVSS Rating 4.3 (v2)
CVE-2011-3389
CVE-2015-0204
In addition to TLSv1.2+ the service is also providing the deprecated TLSv1.0 and TLSv1.1 protocols and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Supported Cipher Suites' (OID: 1.3.6.1.4.1.25623.1.0.802067) VT.

Here is postal.yml
general:

This can be changed to allow messages to be sent from multiple IP addresses

use_ip_pools: false
maximum_delivery_attempts: 10

web:

The host that the management interface will be available on

host: sub.domain.ai

The protocol that requests to the management interface should happen on

protocol: https

web_server:

Specify configuration for the Postal web server

bind_address: 10.0.0.23

port: 5000

bind_address: 0.0.0.0
port: 5000

smtp_server:

Specify configuration to the Postal SMTP server

port: 25
tls_enabled: true
tls_required: true
tls_certificate_path: /opt/ssl_certs/domain.crt
tls_private_key_path: /opt/ssl_certs/multi_domain.key
tls_ciphers: HIGH:!aNULL:!MD5
allow_starttls: true # This allows the connection to be upgraded to TLS
require_authentication: true # Ensure that authentication is required
enforce_tls_authentication: true # Disallow authentication unless encrypted
disable_plaintext_auth: true # Explicitly disable PLAIN and LOGIN on unencrypted connections

Enforce TLSv1.2 and TLSv1.3 only

tls_protocols:
- "TLSv1.2"
- "TLSv1.3"

logging:

Specify options for the logging

stdout: true
smtp_server: debug

main_db:

Specify the connection details for your MySQL database

host: 10.0.0.12
username: postal
password: string
database: postal

message_db:

Specify the connection details for your MySQL server that will be house the

message databases for mail servers.

host: 10.0.0.12
username: postal
password: string
prefix: postal

rabbitmq:

Specify connection details for your RabbitMQ server

host: 127.0.0.1
username: postal
password: string
vhost: postal

dns:

Specify the DNS records that you have configured. Refer to the documentation at

https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further

information about these.

mx_records:
- mx.sub.domain.ai
smtp_server_hostname: sub.domain.ai
spf_include: spf.sub.domain.ai
return_path: rp.sub.domain.ai
route_domain: routes.sub.domain.ai
track_domain: track.sub.domain.ai
dkim_identifier: postal

smtp:

Specify an SMTP server that can be used to send messages from the Postal management

system to users. You can configure this to use a Postal mail server once the

your installation has been set up.

host: 127.0.0.1
port: 2525
username: # Complete when Postal is running and you can
password: # generate the credentials within the interface.
from_name: Some Company
from_address: [email protected]

rails:

This is generated automatically by the config initialization. It should be a random

string unique to your installation.

secret_key: string

Here is Caddyfile

Update this to match the hostname you wish to use for accessing the

Postal web interface.

sub.domain.ai {
reverse_proxy 0.0.0.0:5000
tls /certs/domain.crt /certs/multi_domain.key {
protocols tls1.2 tls1.3
}

# Add HSTS header
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

}

If you use open/click tracking you may need to add additional hosts

to this file using the format below.

track.sub.domain.ai {
reverse_proxy 0.0.0.0:5000 {
header_up X-Postal-Track-Host "1"
}
tls /certs/domain.crt /certs/multi_domain.key {
protocols tls1.2 tls1.3
}

# Add HSTS header
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

}

sandbox.domain.com {
reverse_proxy 0.0.0.0:5000 {
header_up X-Postal-Track-Host "1"
}
tls {
on_demand
protocols tls1.2 tls1.3
}

# Add HSTS header
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

}

open.sandbox.domain.com {
reverse_proxy 0.0.0.0:5000 {
header_up X-Postal-Track-Host "1"
}
tls {
on_demand
protocols tls1.2 tls1.3
}

# Add HSTS header
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

}

trk.agreements.domain.com {
reverse_proxy 0.0.0.0:5000 {
header_up X-Postal-Track-Host "1"
}
tls {
on_demand
protocols tls1.2 tls1.3
}

# Add HSTS header
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

}

[willpower232]

Unfortunately changing the config file won't fix any of those problems, they all sound like how Postal currently functions.

1. Email Service Supports Unencrypted Authentication

This sounds normal, Postal can only use explicit TLS, i.e. STARTTLS, and it does not force it at any point.

2. TLS Renegotiation Denial of Service Possible
3. Vulnerable TLS Protocol Version

I'm not sure off the top of my head if these are related to the Ruby version, the Rails version, or the docker image itself. Perhaps someone else will be more knowledgeable than I am.

[jshapiro2]

Any way to disable TLSv1.0 and TLSv1.1?