2

The site weakdh.org explains how to fix postfix against the weak Diffie-Hellman attack called "logjam".

But don't I have to fix courier too? Or do I have to migrate to dovecot to be logjam-safe?

rubo77
  • 2,282
  • 3
  • 32
  • 63
  • Already [this](http://security.stackexchange.com/questions/89773/how-to-check-if-a-server-is-not-vulnerable-to-logjam) is a good guide for checking a generic service. – Marki May 21 '15 at 20:05

2 Answers2

2

I found this blog post that explains it quite well.

To speed this up, first check, if you already have good parameters in /etc/ssl/certs/dhparams.pem check with

openssl dhparam -text -noout -in /etc/ssl/certs/dhparams.pem

if so copy them into /etc/courier/dhparams.pem with

cp -a /etc/ssl/certs/dhparams.pem /etc/courier/dhparams.pem

otherwise generate with

openssl dhparam -out /etc/courier/dhparams.pem 4096

Courrier version 4.15 removes the TLS_DHCERTFILE parameter from imap, and pop3d configuration files. DH parameters, and DH parameters only, get read from the new TLS_DHPARAMS file (and the other functionaly of TLS_DHCERTFILE, for DSA certificates, is merged into TLS_CERTFILE). After upgrading, run the mkdhparams script to create a new TLS_DHPARAMS file.

So check your installed version with

 apt-cache show courier-imap-ssl|grep Version

If you have at least Version 4.15, now edit /etc/courier/imapd-ssl and set

TLS_DHPARAMS=/etc/courier/dhparams.pem

restart courier-imap-ssl:

/etc/init.d/courier-imap-ssl restart

check the connection with openssl version 1.0.2a.

openssl s_client -host <yourhost.org> -port 993
rubo77
  • 2,282
  • 3
  • 32
  • 63
0

When using courier, you need to make sure that Diffie-Hellman parameters in /etc/courier/dhparams.pem are generated with more than the default 768 bit. I guess 2048 or 4096 bit should do.

Instead of using mkdhparams to generate dhparams.pem (with just 768 bit by default!) you could do it that way:

openssl dhparam -out /etc/courier/dhparams.pem 2048

service courier-mta-ssl restart 

Here's some info (in German) and some further reading about how to mitigate the Logjam-attack on Courier-MTA.

rubo77
  • 2,282
  • 3
  • 32
  • 63
Thomas
  • 1
  • Unlike the Postfix daemon the Courier POP3 and IMAP daemons require the certificate and key to have been combined into a single file. `courier` uses `TLS_CERTFILE=/etc/courier/imapd.pem` in their settings in `/etc/courier/imapd-ssl` so there has to be done some more i guess. (see http://blog.mekk.com/2010/06/startssl-certificate-free-exim-courier.html ) – rubo77 Jun 09 '15 at 12:32