Exim with GnuTLS

[ygoe]

Exim uses GnuTLS by default, so the OpenSSL config options do not apply. Exim does not come with any documentation about what exactly we should set in the configuration and does not recommend any security config itself. So we're left alone with this. Can you make a suggestion here?

My config still only disables SSLv3 and leaves the rest unconfigured. This might need to be updated. The GnuTLS version is 3.

[tomato42]

email is a tricky beast, as vast majority of mail servers will gladly drop down to plaintext, so disabling protocols or ciphers on port 25 (i.e. MX port) is counter productive: even 3DES in SSLv3 or anonymous Diffie-Hellman is better than plaintext...

So unless you're willing to disallow plaintext communication on port 25, you shouldn't change ciphers used by exim

[ygoe]

Then why are there any recommendations (for OpenSSL) at all? Also, there's clients (authenticating with a password) connecting to the server. I'm going to disallow these without encryption.

[philpennock]

With my exim maintainer hat on, there's two very different issues (and some misinformation) here:

1. Which TLS configuration is used for MX delivery between hosts
2. Which TLS configuration is used for Submission

and 1 is in turn divided up into (a) "when using DANE so that cleartext fallback is disabled" and (b) "in the normal RFC-compliant fallback-to-cleartext" cases.

The misinformation: Exim supports OpenSSL and GnuTLS. AFAIK most people building Exim for themselves seem to choose OpenSSL. On Debian and derivatives (such as Ubuntu) using GnuTLS is instead more common. So the TLS strings depend upon which SSL library is in used.

For myself, I define macros TLS_SERVER_MX_CIPHERSPEC and TLS_SERVER_SUBMISSION_CIPHERSPEC for port 25 vs ports 465+587, and I define TLS_CLIENT_DEFAULT_CIPHERSPEC and TLS_CLIENT_HIGHSEC_CIPHERSPEC for outbound. I use the highsec spec for dane_require_tls_ciphers = TLS_CLIENT_HIGHSEC_CIPHERSPEC and also via complicated expansion logic for when site-local configuration says that TLS should be used for connections to particular servers.

For the TLS_CLIENT_HIGHSEC_CIPHERSPEC and TLS_SERVER_SUBMISSION_CIPHERSPEC values, ssl-config-generator values are very appropriate.

[ygoe]

Hm, I'm no wiser than before now. What is the correct config syntax for getting a recommended security with GnuTLS? I'm not building anything but use the Ubuntu distribution packages. People building stuff themselves use other distributions that are made for that. I did that many years ago but it was just way too much work to keep up with all relevant updates.

Does GnuTLS understand the same config values as OpenSSL? I couldn't find any documentation about that, so it looks to me that GnuTLS is unconfigurable. Why is that even used when everybody (except the Exim developers maybe) prefers OpenSSL?

[philpennock]

For GnuTLS, the syntax of those strings is a "priority string":
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphgnu

The GnuTLS docs: https://www.gnutls.org/manual/html_node/Priority-Strings.html

Exim just passes the strings through to the GnuTLS library.

[ygoe]

OK, and which of these should I use? After all, that's the purpose of this tool. I'm not a security professional, I don't know much about the details of all these algorithms.

[philpennock]

If there's not an equivalent to the Mozilla ssl-config generator and you don't have the expertise to make calls, then keep it simple and avoid naming explicit ciphers. For the high-sec cases (server listening on 465/587, NOT for the MX port 25; the dane_require_tls_ciphers option on an SMTP Transport), perhaps something like:

SECURE128:-VERS-TLS1.0:-VERS-TLS1.1

Run: gnutls-cli --list --priority='SECURE128:-VERS-TLS1.0:-VERS-TLS1.1' to test.

That would be "anything of at least 128 bits security, disabling TLS1.0 and TLS1.1". This avoids you having to get involved in deciding what is or is not secure, but involves trusting the decisions of the library maintainers.

Otherwise, you use the ssl-config strings and the GnuTLS docs and spend time figuring out how well each one does or does not translate to GnuTLS. Use gnutls-cli --list --priority='your_candidate' to test.

[philpennock]

(For clarity: I am not a maintainer of the Mozilla tool, I'm an Exim maintainer and saw your issue which looking for something else)

[ygoe]

Strange, this command seems to include some TLS 1.0, but no TLS 1.1. Both seem to be explicitly excluded.

[peterthomassen]

@ygoe I observe the same behavior.

[gene1wood]

@philpennock Thanks for your comments here. Are there any concrete changes we (Mozilla) should make to the Exim config to improve things?

[philpennock]

I am no longer an Exim maintainer.

Invoking exim -bP macros will give you values for, potentially, _HAVE_TLS, _HAVE_OPENSSL, _HAVE_GNUTLS (going partly from memory, test to be sure). That will let you interrogate to know which options to suggest for a given installation, or you can emit with .ifdef directives:

.ifdef _HAVE_OPENSSL
openssl_options = X
tls_require_ciphers = Y
.elifdef _HAVE_GNUTLS
tls_require_ciphers = Z
.elifdef _HAVE_TLS
# unsupported TLS configuration, at the time this was written Exim only supported OpenSSL and GnuTLS
.else
# TLS not enabled in this build
.endif

You might want to refer people to https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html for the docs on TLS with Exim.

I would definitely push for a configuration such as the ${if =={$received_port}{25} example, to support MX "have to be more forgiving" behavior vs submission(s) "have decent security" behavior. You might include a warning comment that if debugging on a non-standard port then this will push that connection to stricter security. There are ways to make the configuration more complicated to support that, but not worth pushing for in a simple recommendations tool, so just a warning comment IMO.

Take a look over the DANE section and figure out what you want to configure for the remote_smtp transport to provide better security by default for outbound connections; look at whatever current git has as the default configuration file for people to work from (https://git.exim.org/exim.git/blob/HEAD:/src/src/configure.default) and see what is done for the smarthost_smtp case (where we push for better TLS behavior) vs the default.

Anything in terms of policy beyond that, I defer to the current maintainers rather than step on their toes.

[grinapo]

I don't see how the generator could generate anything for gnutls syntax (instead of openssl).

The preference
tls_require_ciphers = SECURE128:-VERS-TLS1.0:-VERS-TLS1.1:%SERVER_PRECEDENCE:-AES-256-CBC:-AES-128-CBC

seems to provide a good baseline, forcibly removing CBC (and breaking compatibility for some I guess) TLS1.0 cyphers as well.

(It provides, on my current config:

• Protocols: VERS-TLS1.3, VERS-TLS1.2, VERS-DTLS1.2, VERS-DTLS1.0
• Ciphers: AES-256-GCM, CHACHA20-POLY1305, AES-256-CCM, AES-128-GCM, AES-128-CCM
• MACs: SHA1, AEAD
• Key Exchange Algorithms: ECDHE-ECDSA, ECDHE-RSA, RSA, DHE-RSA
• Groups: GROUP-SECP256R1, GROUP-SECP384R1, GROUP-SECP521R1, GROUP-X25519, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096, GROUP-FFDHE6144, GROUP-FFDHE8192
• PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-PSS-SHA256, SIGN-RSA-PSS-RSAE-SHA256, SIGN-ECDSA-SHA256, SIGN-ECDSA-SECP256R1-SHA256, SIGN-EdDSA-Ed25519, SIGN-RSA-SHA384, SIGN-RSA-PSS-SHA384, SIGN-RSA-PSS-RSAE-SHA384, SIGN-ECDSA-SHA384, SIGN-ECDSA-SECP384R1-SHA384, SIGN-RSA-SHA512, SIGN-RSA-PSS-SHA512, SIGN-RSA-PSS-RSAE-SHA512, SIGN-ECDSA-SHA512, SIGN-ECDSA-SECP521R1-SHA512
  )

Naturally this holds ony for the gnutls-compiled versions, namely all Debian and clones.

[grinapo]

Yep, still broken. Can't generate config for gnutls.

Happy anniversary!

Technically I don't see what the problem is. Exim+gnutls uses the standard gnutls syntax and opions, using the aforementioned tls_require_cypers keyword.

All the tls related config options are, for the record:

acl_smtp_starttls = 
no_gnutls_allow_auto_pkcs11
no_gnutls_compat_mode
no_ldap_start_tls
tls_advertise_hosts = *
tls_certificate = /etc/wherever/cert.pem
tls_crl = 
tls_dh_max_bits = 2236
tls_dhparam = 
tls_eccurve = auto
tls_ocsp_file = 
tls_on_connect_ports = 
tls_privatekey = /etc/wherever/key.pem
no_tls_remember_esmtp
tls_require_ciphers = SECURE128:-VERS-TLS1.0:-VERS-TLS1.1:%SERVER_PRECEDENCE:+CAMELLIA-256-GCM:+CAMELLIA-128-GCM
tls_try_verify_hosts = 
tls_verify_certificates = 
tls_verify_hosts = 

[gene1wood]

@grinapo Thanks for your comments here. Are there any concrete changes we (Mozilla) should make to the Exim config to improve things?