postfix: invalid value for smtpd_tls_mandatory_ciphers in main.cf

Bug #365390 reported by Richard Hansen on 2009-04-23
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: postfix

postfix-2.5.5-1.1 (jaunty release candidate)

The default /etc/postfix/main.cf file contains the line:

smtpd_tls_mandatory_ciphers = medium, high

This is an invalid value; it must be either 'medium' or 'high', not 'medium, high'. With it set to 'medium, high', sending mail via the submission port (uncommented in master.cf) results in the following error message in /var/log/mail.log:

Apr 23 00:20:06 socket postfix/smtpd[28385]: warning: localhost[127.0.0.1]: invalid TLS cipher grade: "medium, high": aborting TLS session

The documentation (man 5 postconf) says this:

"smtpd_tls_mandatory_ciphers (default: medium). The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade. With opportunistic TLS encryption, the "export" grade is used unconditionally with exclusions specified only via smtpd_tls_exclude_ciphers."

Jonathan Marsden (jmarsden) wrote :

I am unable to duplicate this here in a Jaunty (rc) virtual machine.

The default /etc/postfix/main.cf file does not seem to contain an entry for smtpd_tls_mandatory_ciphers when I install postfix. I also unpacked the postfix 2.5.5-1.1 source package and do not see any obvious sign of this in there.

Please provide full details on exactly how you installed postfix, and if you were asked any configurations questions by debconf when installing, how you answered them.

I suspect that the problem here may lie in another package, not postfix itself? In particular, did you install the dovecot-postfix package?

Jonathan

Changed in postfix (Ubuntu):
status: New → Incomplete
Jonathan Marsden (jmarsden) wrote :

bug only seen when dovecot-postfix is installed, not when installing just postfix.

affects: postfix (Ubuntu) → dovecot (Ubuntu)
Jonathan Marsden (jmarsden) wrote :

unable to set package name to dovecot-postfix

Changed in dovecot (Ubuntu):
status: Incomplete → Confirmed
Jonathan Marsden (jmarsden) wrote :

Fix created, will upload debdiff soon.

Changed in dovecot (Ubuntu):
status: Confirmed → In Progress
Jonathan Marsden (jmarsden) wrote :

Debdiff attached.

Note that this is hand edited to remove over 5MB of cruft
generated because the dovecot build regenerates
a lot of autotools files that are in the original source
tarball and does not take care of replacing them
in its clean target. But that's (I think!) a totally
separate packaging bug.

Jonathan

Changed in dovecot (Ubuntu):
status: In Progress → Confirmed
Mathias Gug (mathiaz) wrote :

Thanks for preparing a debdiff.

Considering that the default value for smtpd_tls_mandatory_ciphers is medium it makes more sense to just remove the set_postfix_option "smtpd_tls_mandatory_ciphers = medium, high" line rather than replacing it with set_postfix_option "smtpd_tls_mandatory_ciphers = medium".

Jonathan Marsden (jmarsden) wrote :

@Mathias: That's fine. I was just following the example set by some other parameters in that same file, very close to the line being discussed, such as

  set_postfix_option "smtpd_tls_mandatory_protocols = SSLv3, TLSv1"

and also

  set_postfix_option "tls_random_source = dev:/dev/urandom"

which seem to me to be setting things to the same value as the default. I therefore thought there must be a reason for doing it this way, and so I carefully followed the example set by the creators of this script :)

I think it would be good to be consistent about this, and *only* set things which are non-default, unless there really is a valid reason for doing otherwise?

Attached is a new debdiff that just removes the one line for smtpd_tls_mandatory_ciphers. If you feel we should also remove the others that set things the same as the default, let me know :)

BTW, I looked at doing this as a bzr branch, but was puzzled by the branch name being ubuntu-intrepid, so I just did a debdiff instead, rather than risk a mistake of using the wrong bzr branch!

Jonathan

tags: added: patch
Gioele Barabucci (gioele) wrote :

The problem is still present in Jaunty and the patch fixes it.

Could you please release an updated deb in jaunty-updates?

Steve Kowalik (stevenk) wrote :

If this going to be fixed in Jaunty, it needs to be fixed in Karmic first, and the debdiff corrected for a upload to jaunty-proposed. Jonathon, are you willing to do this to get this fixed in Jaunty?

Steve Kowalik wrote:

> If this going to be fixed in Jaunty, it needs to be fixed in Karmic
> first, and the debdiff corrected for a upload to jaunty-proposed.
> Jonathon, are you willing to do this to get this fixed in Jaunty?

It is fixed in Karmic. I'll prepare debdiffs for jaunty later today.

Ante Karamatić (ivoks) wrote :

Unlike proposed patch, this one defines smtpd_tls_mandatory_ciphers. Reason for that is that dovecot-postfix supports installation on top of existing configuration. Since the idea of dovecot-postfix is to provide sane defaults, chosen by Ubuntu Server Team, we define all configuration options, even though many of them are same by default. That way we can 'fix' configurations with "smtpd_tls_mandatory_ciphers=low". True, we also break those with "smtpd_tls_mandatory_ciphers=high". With current implementation we can't make everybody happy :/

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dovecot - 1:1.1.11-0ubuntu11

---------------
dovecot (1:1.1.11-0ubuntu11) karmic; urgency=low

  [Ante Karamatic]
  * debian/dovecot-postfix.postinst:
    - reduce smtpd_tls_mandatory_ciphers to medium (LP: #365390)
  * debian/dovecot-postfix.README.Debian:
    - introduction and features of dovecot-postfix
  * debian/rules:
    - install debian changelog in dovecot-postfix

 -- Chuck Short <email address hidden> Wed, 14 Oct 2009 21:30:36 -0400

Changed in dovecot (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers