Disabling SSLv3 in Postfix

Dark Knight Poodle
Some rights reserved by greg westfall.

The POODLE attack was made public late 2014 and as most vendors have taken action to solve possible issues related to POODLE. The time definitely has come to close SSLv3 in all parts of public facing infrastructure. By default Postfix still only disallows SSLv2 and hopefully this will change in the form of stricter default behaviour in Postfix or distributions/vendors that stop shipping SSLv3 libraries.

For now you can set with the postconf command restrictions which protocols shouldn’t be used by Postfix.

$ sudo postconf -e smtpd_tls_mandatory_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtpd_tls_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtp_tls_protocols=\!SSLv2,\!SSLv3

As this is a change to /etc/postfix/main.cf Postfix can be reloaded to reread the configuration, but it may be smarter to just restart Postfix to make it effective for all connection from the moment Postfix restarts.

$ sudo systemctl restart postfix.service

All encrypted sessions Postfix allows will require TLSv1+. The next step will be to disable the RC4 cipher suite, but will do that in another posting.

Installing SSL-certificates on Debian

Installing and configuring SSL certificates is always an issue as how to create them and where to store them. Most of the time people can find the procedure on how to create them, but they forget all the places where they have placed them. Some initiatives exist to have centralized key stores on systems, but getting applications to use them is still a problem.

Also on Debian is this an issue and key material is all over the system if you’re not careful. Some Debian developers tried to fix it, but it ended in a “stalemate” and for now an additional package called ssl-cert exists to create self-signed certificates. This package also provides a structure for storing commercial certificates and accessing them in a safer way. So for we install the package ssl-cert.

$ sudo apt-get install ssl-cert

After installing the package the different files for the SSL-key can be placed in /etc/ssl/private and have the right permissions as shown in the output below. This to protect the key material from being use by unauthorized processes as most keys don’t have a passphrase.

$ sudo ls -l /etc/ssl/private
-r--r----- 1 root    ssl-cert 2766 Dec 12 13:06 www.example.org_ca.pem
-r--r----- 1 root    ssl-cert 1671 Dec 12 13:06 www.example.org.crt
-r--r----- 1 root    ssl-cert 1070 Dec 12 13:06 www.example.org.csr
-r--r----- 1 root    ssl-cert 6268 Dec 12 13:06 www.example.org_intermediate.pem
-r--r----- 1 root    ssl-cert 1675 Dec 12 13:06 www.example.org.key
-r--r----- 1 root    ssl-cert 3502 Dec 12 13:06 www.example.org.pem

The location and files can only be accessed by the root user or members of the group ssl-cert. Some applications as Apache startup under the root user and access the files before switching to the actual user like www-data on Debian. For those applications nothing is going to change, but for others like ejabberd that run completely under the ejabberd user somethings changes. Those users need to be made member of the group ssl-cert to read the files in /etc/ssl/private. Below two known services are made member of the group ssl-cert to read the certificates.

$ sudo usermod -a -G ssl-cert ejabberd
$ sudo usermod -a -G ssl-cert postgres
$ id -a ejabberd
uid=123(ejabberd) gid=125(ejabberd) groups=105(ssl-cert),125(ejabberd)
$ id -a postgres
uid=105(postgres) gid=108(postgres) groups=105(ssl-cert),108(postgres)

After checking of the modification was in affect as some servers use a Naming Service Caching Daemon the affected services need to be restarted. In this example both ejabberd and PostgreSQL need to restarted before the SSL certificates can be accesses.

Switching to Mozilla Extended Support Releases

At first I wasn’t impressed with Mozilla’s plan for Extended Support Releases for Firefox and Thunderbird, and after sites complained that Firefox 10 was too old it made me switch to the normal release schedule. But now with Firefox 17 being the current ESR and release 24 around the corner it made me rethink everything again. Updating your browser every six weeks sounds fun, but in the end it should just work.

So first stop was Debian that appears to adopt the new ESR strategy and updated their own spin of Mozilla Firefox, Iceweasel, for version 10 to version 17 in their stable release of Debian. The same for Icedove, the Debian spin of Mozilla Thunderbird. Hopefully their testing release will have version 17 soon, but you can grab it from the unstable release without any real issue. I have been using Iceweasel 17 for about three weeks again and experienced no issues browsing the web. So the first step to Firefox ESR has been taken.

The next step it to switch a portable apps installation of Mozilla Firefox to ESR, but for that I have to wait for the next Extended Support Release which is be planned September 17, 2013 and then change the release channel from “release” to “esr” by hand in default\pref\channel-prefs.js. Or I should reinstall the ESR version of PortableApps Firefox now, but for that I need to do some import and exporting of data and settings. We will see what will come first.

Renaming database in PostgreSQL

Sometimes you have a system with legacy naming standards, but you really want to switch over to the new standard to keep all the scripting clean without some exceptions no one is going to remember in 12 months. Oracle had the command ALTER DATABASE, but since Oracle 10 you need to take the database offline and do some magic. MySQL got the RENAME DATABASE option with release 5.1.7 and lost the option again with release 5.1.23 as it was eating data.

Luckily PostgreSQL still has the command ALTER DATABASE so let rename a database and it’s owner. Before we start we need the password and then we need to login as the PostgreSQL superuser postgres or another account with similar privileges. So first we check the database name and owner.

postgres=# \l
                                    List of databases
     Name     |  Owner   | Encoding  |  Collation  |    Ctype    |   Access privileges   
 dbu0001      | dbu0001  | UTF8      | en_US.UTF-8 | en_US.UTF-8 | 

Now we rename the database owner as we made a typo and we need to set the password again.

postgres=# alter user dbu0001 rename to dbo0001;
NOTICE:  MD5 password cleared because of role rename
postgres=# alter user dbo0001 password 'yeaxaureiraeLohsh6deJ2ohngahpu9a';

The second task is to rename the database to the correct name.

postgres=# alter database dbu0001 rename to dbs0001;

And basically we are now done as the ownership was already modified when we renamed the account with our first statement, but let check what PostgreSQL says it now has.

postgres=# \l
                                    List of databases
     Name     |  Owner   | Encoding  |  Collation  |    Ctype    |   Access privileges   
 dbs0001      | dbo0001  | UTF8      | en_US.UTF-8 | en_US.UTF-8 | 

Please don’t forget to update the connection strings for applications using this database and maybe GRANTS that have been set and the pg_hba.conf file.

A smoother transition in Debian

About a month ago a transition in Debian took a wrong turn for systemd users. This ended in systemd users who where unable to shutdown there system, but recently a newer version was uploaded to unstable solving this issue. So time to unlock the block packages and upgrading systemd to version 37-1.1 and blocked packages.

$ echo "bootlogd install" | sudo dpkg --set-selections
$ echo "initscripts install" | sudo dpkg --set-selections
$ echo "sysvinit install" | sudo dpkg --set-selections
$ echo "sysvinit-utils install" | sudo dpkg --set-selections
$ echo "sysv-rc install" | sudo dpkg --set-selections
$ sudo apt-get install -t unstable systemd libpam-systemd libsystemd-daemon0 libsystemd-login0 bootlogd initscripts sysv-rc sysvinit sysvinit-utils

Only remark after upgrade as for the last time a normal reboot isn’t possible since the system already looks at the new location, but a `halt -f` solves that.