DANE DNS-SEC TLSA on RR smtp.domain.tld

Bonjour,

depuis 2 jours je reçois des mails provenant de DNSSEC-DANE-Deployment-Statistics qui me signale que mon serveur de mail n’est pas valide DANE - cela depuis (je pense) que j’ai fait des tests de bonne configuration d’email depuis le siteweb https://internet.nl - en fait je crois que cela vient de mon register de domaine gandi.net

De : DANE Survey Notices <maillll@dnssec-stats.ant.isi.edu>
Pour : 7331b9..........39736938@contact.gandi.net
Copie à : hostmaster@lab3w.fr (moi)
Sujet : [Reminder] smtp.zw3b.eu[158.69.126.137], smtp.zw3b.net[2607:5300:60:9389:17:4c1:0:1a]: SMTP server DNS (DANE TLSA record) issue

çà pète, en passant

CF : https://stats.dnssec-tools.org/explore/?zw3b.eu

Par contre j’ai l’impression qu’il y a un bug de vérification DANE ; on dirait que le site vérifie le port _443._tcp sur le nom SMTP (c’est un peu c** c**)

J’ai un serveur mail « mail.zw3b.eu ».

Le protocol SMTP (25) & SMTPs (465) & SMTPs STARTLS (587) (donc) sont valident DANE.

$ dig TLSA _25._tcp.smtp.zw3b.eu @dns.google +short
3 0 1 6A42E98D3EADBB58C37A4127CEF3BB8BD004AC8DA39EE14F46549E52 C75F1C4F
$ dig TLSA _465._tcp.smtp.zw3b.eu @dns.google +short
3 0 1 6A42E98D3EADBB58C37A4127CEF3BB8BD004AC8DA39EE14F46549E52 C75F1C4F
$  dig TLSA _587._tcp.smtp.zw3b.eu @dns.google +short
3 0 1 6A42E98D3EADBB58C37A4127CEF3BB8BD004AC8DA39EE14F46549E52 C75F1C4F

Le webmail HTTPs (TLS) (donc) valide DANE.

$ dig TLSA _443._tcp.webmail.zw3b.eu @dns.google +short
3 0 1 6A42E98D3EADBB58C37A4127CEF3BB8BD004AC8DA39EE14F46549E52 C75F1C4F

Est-ce la bonne configuration ?

Il me semble bien - n’est-ce pas ?

Je pourrais ajouter un enregistrement DNS pour cette question (mais je ne vois pas à quoi çà sert) :

$ dig TLSA _443._tcp.smtp.zw3b.eu @dns.google +short

Merci pour vos réponses.

Salutations,
Romain

J’ajoute çà :

Sur le service « webmail.zw3b.eu:443 » :

$ echo | openssl s_client -showcerts -servername webmail.zw3b.eu -connect webmail.zw3b.eu:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:03:b6:45:1d:b1:5f:11:2e:8c:ac:d0:af:9c:15:e9:67:fe
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Nov  7 15:26:37 2023 GMT
            Not After : Feb  5 15:26:36 2024 GMT
        Subject: CN = mail.zw3b.eu
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:12:c1:14:2c:d2:45:d6:92:82:10:b5:27:58:3d:
                    d2:10:80:40:2d:a4:07:b5:6e:2f:9c:91:72:cb:cd:
                    a3:1e:09:ec:75:08:f5:41:37:0c:9e:0d:a6:fe:89:
                    e5:41:3f:77:48:54:a6:35:15:4f:95:b9:82:c9:42:
                    8e:f6:ff:cd:f4:3a:be:77:3f:af:d4:04:40:a0:33:
                    cf:65:15:52:30:e4:ea:e3:0a:72:9b:6a:41:1a:54:
                    9a:bd:52:ee:6b:d4:ec
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                FF:D3:55:B5:EB:0C:84:A0:8B:A7:3C:04:38:73:8F:02:9D:C1:9E:8D
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:imap.zw3b.blog, DNS:imap.zw3b.com, DNS:imap.zw3b.eu, DNS:imap.zw3b.fr, DNS:imap.zw3b.net, DNS:imap.zw3b.site, DNS:imap.zw3b.tv, DNS:mail.zw3b.blog, DNS:mail.zw3b.com, DNS:mail.zw3b.eu, DNS:mail.zw3b.fr, DNS:mail.zw3b.net, DNS:mail.zw3b.site, DNS:mail.zw3b.tv, DNS:pop.zw3b.blog, DNS:pop.zw3b.com, DNS:pop.zw3b.eu, DNS:pop.zw3b.fr, DNS:pop.zw3b.net, DNS:pop.zw3b.site, DNS:pop.zw3b.tv, DNS:smtp.zw3b.blog, DNS:smtp.zw3b.com, DNS:smtp.zw3b.eu, DNS:smtp.zw3b.fr, DNS:smtp.zw3b.net, DNS:smtp.zw3b.site, DNS:smtp.zw3b.tv, DNS:webmail.zw3b.blog, DNS:webmail.zw3b.com, DNS:webmail.zw3b.eu, DNS:webmail.zw3b.fr, DNS:webmail.zw3b.net, DNS:webmail.zw3b.site, DNS:webmail.zw3b.tv
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
                                67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
                    Timestamp : Nov  7 16:26:38.263 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:94:67:2C:65:F1:F5:7F:18:4B:D8:A5:
                                78:67:B1:D3:83:8B:E3:0F:4E:0B:86:02:DE:B8:42:95:
                                55:6E:1D:70:0F:02:20:37:25:80:CE:A2:82:CD:BF:C8:
                                DC:4B:FB:75:BA:B7:89:A6:7C:2D:36:B5:8B:C9:7F:45:
                                30:B0:6C:F6:6C:2A:52
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : Nov  7 16:26:38.323 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:CD:35:50:C5:E3:D5:DF:4C:D5:C0:A6:
                                D0:B8:34:2F:74:32:28:7C:24:49:E8:A0:8E:4B:97:02:
                                C0:10:47:EB:BC:02:21:00:8A:28:D3:A3:34:CE:25:B6:
                                54:34:E7:28:AF:BC:54:86:7A:B9:F8:53:20:BE:03:68:
                                55:8B:56:55:84:F8:D7:38
    Signature Algorithm: sha256WithRSAEncryption
         33:5f:6c:4b:6e:b5:de:5c:bc:5a:62:f4:93:7f:cc:c7:aa:4e:
         41:f1:b9:d6:48:58:ec:d9:8f:d8:66:26:f1:d0:5a:9e:3a:0c:
         35:bf:9c:9a:74:53:fe:b1:1a:32:a8:65:15:74:04:49:da:68:
         1e:db:ff:84:3e:58:14:f0:71:8e:25:1d:45:1e:28:3f:ea:17:
         16:4f:0b:51:04:c0:5d:c4:94:72:73:10:5f:4c:a8:4a:1a:a6:
         84:31:fa:b1:3b:f3:69:50:79:74:4b:0d:ca:6a:11:82:1f:bf:
         26:be:d7:35:3d:f1:ae:67:e8:c6:a5:56:21:36:7c:07:46:96:
         8e:83:b5:9d:27:16:ae:68:2e:48:94:57:f3:b0:ff:fe:f6:81:
         e6:c7:91:3c:36:5c:69:ac:02:0d:00:4b:e0:3c:9b:bf:2f:41:
         85:a8:c1:26:2c:6a:f5:fd:d3:06:02:b7:89:84:76:65:a9:22:
         88:67:1a:98:ee:8b:25:74:54:c5:4a:15:45:0f:7d:32:9f:d8:
         10:de:42:44:25:3d:65:1d:9d:98:f5:5b:b4:4e:08:44:ba:4c:
         1e:02:52:ff:c8:55:ba:f5:0c:8e:8c:d4:4a:e3:da:a0:1d:b4:
         b4:fb:13:2a:4c:2f:11:40:5c:02:81:e6:ec:2b:d2:66:1f:d2:
         68:a1:c1:0b

Sur le service « smtp.zw3b.eu:25 » :

$ echo | openssl s_client -showcerts -servername smtp.zw3b.eu -connect smtp.zw3b.eu:25 -6 2>/dev/null | openssl x509 -inform pem -noout -text
unable to load certificate
140013873140928:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

?

Aurais-je fais une bourde (pourtant j’arrive normalement à m’authentifier avec mon logiciel de mails Mozilla Thunderbird à recevoir et send)…

J’ai pû lire que par exemple les signatures DKIM peuvent être au maximum en ec-256 plutôt ed25519-sha256 et non pas en ec-384 mais je ne crois pas ce soit la même chose pour le protocol SMTP.

Je ne sais pas exactement.

Pour DKIM :

• Algorithm RSA-SHA256 (rfc6376 : DomainKeys Identified Mail (DKIM) Signatures)
• Algorithm Ed25519-SHA256 : (rfc8463 : A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM))

Pour SMTP - je check çà …

Je lis « liste d’algorithmes de chiffrement pour la négociation TLS a été mise à jour en janvier 2021. » sur cette page : Algorithmes de chiffrement pour les connexions TLS SMTP…

TLS 1.3

• TLS_AES_128_GCM_SHA256
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256

J’ajoute mes deux posts du mois

1. Let’s Encrypt certicats - ca.pem (old certif) <-> commercial_3.pem -…
2. Authentication-Results: […] (amavis); dkim=neutral reason="invalid…

Bonne soirée à vous mesdames, mesdamoiselles, messieurs.

C’est OK pour DNSSEC and SMTP DANE TLS adoption survey (updated daily) [RESOLU] → https://stats.dnssec-tools.org/explore/

_25._tcp.smtp.domain.tld → SMTP protocol
_465._tcp.smtp.domain.tld → SMTPs protocol
_587._tcp.smtp.domain.tld → SMTPs protocol - Submission (for web service je crois)

Merci.

Rien à voir mais je dis :

Sinon, lorsque j’essaie de me connecter via openssl :

Sur « smtp.zw3b.eu:25 » (SMTP NON Sécurisé) → NON OK :

root@lab3w:~ # echo | openssl s_client -6 -connect smtp.zw3b.eu:25
CONNECTED(00000003)
139746243826880:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 304 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Et sur " smtp.zw3b.eu:587 " (SMTPs STARTTLS)

root@lab3w:~ # echo | openssl s_client -6 -connect smtp.zw3b.eu:587
CONNECTED(00000003)
139664478545088:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 304 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Sinon je remarque que depuis un de mes serveur « lab3w » et depuis un autre « dc.w3a » - çà ne me ressort pas la même réponse.

Sur « smtp.zw3b.eu:465 » (SMTP Secure) → OK
Depuis « lab3w » - Debian GNU/Linux 10 (buster) :

root@lab3w:~ # echo | openssl s_client -6 -connect smtp.zw3b.eu:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.zw3b.eu
verify return:1
---
Certificate chain
 0 s:CN = mail.zw3b.eu
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = mail.zw3b.eu
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
[...]
2qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
-----END CERTIFICATE-----
subject=CN = mail.zw3b.eu

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6335 bytes and written 384 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Et depuis « dc.w3a » - Debian GNU/Linux 9 (stretch) :

root@dc.w3a:~ $ echo | openssl s_client -6 -connect smtp.zw3b.eu:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.zw3b.eu
verify return:1
---
Certificate chain
 0 s:/CN=mail.zw3b.eu
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/CN=mail.zw3b.eu
   i:/C=US/O=Let's Encrypt/CN=R3
 2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
[...]
2qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
-----END CERTIFICATE-----
subject=/CN=mail.zw3b.eu
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6413 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 108778FCB7F6E6B5D2336D1658B53ED7171D3813C3FC268B7515C5E6948F824F
    Session-ID-ctx:
    Master-Key: 570C7A56776C764285DE27EF810D979945208D635D8AB7F1BD8C410A6ADDE46CC21ADCC2AB710BDF6AE6F887E5CF0FE9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ce 78 38 e9 4f 10 fe c8-d0 27 77 05 e8 b5 90 e8   .x8.O....'w.....
    0010 - 4d f2 aa c2 84 06 3a 0c-a5 89 d9 61 f6 d0 87 f1   M.....:....a....
    0020 - 51 e8 13 41 bf 6f 9c 46-92 5d a5 20 c8 d0 70 d1   Q..A.o.F.]. ..p.
    0030 - cb 38 ef 18 41 81 f2 97-a9 43 10 03 ac b3 42 4a   .8..A....C....BJ
    0040 - 04 c7 1a bd ba 1c 8f d4-ba 11 9b fc 72 37 41 88   ............r7A.
    0050 - 1c 1a 15 d2 bd 59 a3 6e-c1 1e 6e 5f 4e 7d 95 b6   .....Y.n..n_N}..
    0060 - a1 13 cb d6 aa f3 59 80-09 16 9e 48 c8 62 55 74   ......Y....H.bUt
    0070 - 5b 14 a7 13 4b 77 f9 e7-20 37 c7 68 a0 bf 54 ec   [...Kw.. 7.h..T.
    0080 - 5e 3b af 7e 09 68 d8 6e-c7 31 bf d9 53 fd a0 f7   ^;.~.h.n.1..S...
    0090 - 04 69 30 07 6c 92 b0 fb-12 e5 46 9f 99 a8 d0 0b   .i0.l.....F.....
    00a0 - 11 b9 a8 ce e0 c0 91 32-ac 87 bb 13 aa b9 07 69   .......2.......i

    Start Time: 1699702342
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

Sinon, tiens en plus j’ajoute çà :

Ciphers SSL / TLS " smtp.zw3b.eu:25 " :

root@lab3w:~ # nmap --script ssl-enum-ciphers -p 25 smtp.zw3b.eu -6
Starting Nmap 7.70 ( https://nmap.org ) at 2023-11-10 16:11 CET
Nmap scan report for smtp.zw3b.eu (2607:5300:60:9389:17:4c1:0:1a)
Host is up (0.00021s latency).
Other addresses for smtp.zw3b.eu (not scanned): 158.69.126.137
rDNS record for 2607:5300:60:9389:17:4c1:0:1a: mail.zw3b.eu

PORT   STATE SERVICE
25/tcp open  smtp
MAC Address: CE:40:55:0E:58:A1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

Ciphers SSL / TLS " smtp.zw3b.eu:465 " :

root@lab3w:~ # nmap --script ssl-enum-ciphers -p 465 smtp.zw3b.eu -6
Starting Nmap 7.70 ( https://nmap.org ) at 2023-11-10 16:11 CET
Nmap scan report for smtp.zw3b.eu (2607:5300:60:9389:17:4c1:0:1a)
Host is up (0.0030s latency).
Other addresses for smtp.zw3b.eu (not scanned): 158.69.126.137
rDNS record for 2607:5300:60:9389:17:4c1:0:1a: mail.zw3b.eu

PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DH_anon_WITH_AES_128_CBC_SHA - F
|       TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
|       TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F
|       TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
|       TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp256r1) of lower strength than certificate key
|_  least strength: F
MAC Address: CE:40:55:0E:58:A1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds

Ciphers SSL / TLS " smtp.zw3b.eu:587 " :

root@lab3w:~ # nmap --script ssl-enum-ciphers -p 587 smtp.zw3b.eu -6
Starting Nmap 7.70 ( https://nmap.org ) at 2023-11-10 16:12 CET
Nmap scan report for smtp.zw3b.eu (2607:5300:60:9389:17:4c1:0:1a)
Host is up (0.00030s latency).
Other addresses for smtp.zw3b.eu (not scanned): 158.69.126.137
rDNS record for 2607:5300:60:9389:17:4c1:0:1a: mail.zw3b.eu

PORT    STATE SERVICE
587/tcp open  submission
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DH_anon_WITH_AES_128_CBC_SHA - F
|       TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
|       TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F
|       TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
|       TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp256r1) of lower strength than certificate key
|_  least strength: F
MAC Address: CE:40:55:0E:58:A1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds

Si cela peut « aider » bien configurer ces algorithmes SSL/TLS → Postfix Conf Parameters #smtp_tls_ciphers

J’ajoute les Tests SSL LABS (captures d’écran) :

• SSL Server Test IPv4 : smtp.zw3b.eu (Powered by Qualys SSL Labs)
• SSL Server Test IPv6 : smtp.zw3b.eu (Powered by Qualys SSL Labs)

En IPv4 çà pointe sur le wilcard - mais c’est une « erreur » de configuration, un oubli - il faut que j’ajoute smtp.zw3b.eu en port TCP 443 qui pointe « aussi » sur le serveur mail ce sera mieux [RESOLU]

Bonne journée à vous.

Salutations,
Romain

Pour celles ou ceux que çà intéressent j’ai écris quelques Zimbra : commandes liées à SSL/TLS postfix […] sur le forum de Zimbra.

C’est vraiment bizarre :

Du serveur « lab3w » - Debian GNU/Linux 10 (buster) - Nmap 7.70
→ ERREUR – j’ai un algo « secp384r1 »

root@lab3w:~ # nmap --script ssl-enum-ciphers -p 465 smtp.zw3b.eu -6
Starting Nmap 7.70 ( https://nmap.org ) at 2023-11-11 15:03 CET
Nmap scan report for smtp.zw3b.eu (2607:5300:60:9389:17:4c1:0:1a)
Host is up (0.00023s latency).
Other addresses for smtp.zw3b.eu (not scanned): 158.69.126.137
rDNS record for 2607:5300:60:9389:17:4c1:0:1a: mail.zw3b.eu

PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp256r1) of lower strength than certificate key
|_  least strength: A
MAC Address: CE:40:55:0E:58:A1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 6.65 seconds

Ce que je vois bien depuis le serveur « dc.w3a » - Debian GNU/Linux 9 (stretch) - Nmap 7.40 :

root@dc.w3a:~ $ nmap --script ssl-enum-ciphers -p 465 smtp.zw3b.eu -6

Starting Nmap 7.40 ( https://nmap.org ) at 2023-11-11 15:03 CET
Nmap scan report for smtp.zw3b.eu (2607:5300:60:9389:17:4c1:0:1a)
Host is up (0.10s latency).
Other addresses for smtp.zw3b.eu (not scanned): 158.69.126.137
rDNS record for 2607:5300:60:9389:17:4c1:0:1a: mail.zw3b.eu
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp384r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 9.70 seconds

ASN1 OID: secp384r1
National Institute of Standards and Technology CURVE: P-384

root@lab3w:~ # echo | openssl s_client -6 -connect smtp.zw3b.eu:465 | openssl x509 -text -noout
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.zw3b.eu
verify return:1
DONE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:03:b6:45:1d:b1:5f:11:2e:8c:ac:d0:af:9c:15:e9:67:fe
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Nov  7 15:26:37 2023 GMT
            Not After : Feb  5 15:26:36 2024 GMT
        Subject: CN = mail.zw3b.eu
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:12:c1:14:2c:d2:45:d6:92:82:10:b5:27:58:3d:
                    d2:10:80:40:2d:a4:07:b5:6e:2f:9c:91:72:cb:cd:
                    a3:1e:09:ec:75:08:f5:41:37:0c:9e:0d:a6:fe:89:
                    e5:41:3f:77:48:54:a6:35:15:4f:95:b9:82:c9:42:
                    8e:f6:ff:cd:f4:3a:be:77:3f:af:d4:04:40:a0:33:
                    cf:65:15:52:30:e4:ea:e3:0a:72:9b:6a:41:1a:54:
                    9a:bd:52:ee:6b:d4:ec
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                FF:D3:55:B5:EB:0C:84:A0:8B:A7:3C:04:38:73:8F:02:9D:C1:9E:8D
            X509v3 Authority Key Identifier:
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name:
                DNS:imap.zw3b.blog, DNS:imap.zw3b.com, DNS:imap.zw3b.eu, DNS:imap.zw3b.fr, DNS:imap.zw3b.net, DNS:imap.zw3b.site, DNS:imap.zw3b.tv, DNS:mail.zw3b.blog, DNS:mail.zw3b.com, DNS:mail.zw3b.eu, DNS:mail.zw3b.fr, DNS:mail.zw3b.net, DNS:mail.zw3b.site, DNS:mail.zw3b.tv, DNS:pop.zw3b.blog, DNS:pop.zw3b.com, DNS:pop.zw3b.eu, DNS:pop.zw3b.fr, DNS:pop.zw3b.net, DNS:pop.zw3b.site, DNS:pop.zw3b.tv, DNS:smtp.zw3b.blog, DNS:smtp.zw3b.com, DNS:smtp.zw3b.eu, DNS:smtp.zw3b.fr, DNS:smtp.zw3b.net, DNS:smtp.zw3b.site, DNS:smtp.zw3b.tv, DNS:webmail.zw3b.blog, DNS:webmail.zw3b.com, DNS:webmail.zw3b.eu, DNS:webmail.zw3b.fr, DNS:webmail.zw3b.net, DNS:webmail.zw3b.site, DNS:webmail.zw3b.tv
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
                                67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
                    Timestamp : Nov  7 16:26:38.263 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:94:67:2C:65:F1:F5:7F:18:4B:D8:A5:
                                78:67:B1:D3:83:8B:E3:0F:4E:0B:86:02:DE:B8:42:95:
                                55:6E:1D:70:0F:02:20:37:25:80:CE:A2:82:CD:BF:C8:
                                DC:4B:FB:75:BA:B7:89:A6:7C:2D:36:B5:8B:C9:7F:45:
                                30:B0:6C:F6:6C:2A:52
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : Nov  7 16:26:38.323 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:CD:35:50:C5:E3:D5:DF:4C:D5:C0:A6:
                                D0:B8:34:2F:74:32:28:7C:24:49:E8:A0:8E:4B:97:02:
                                C0:10:47:EB:BC:02:21:00:8A:28:D3:A3:34:CE:25:B6:
                                54:34:E7:28:AF:BC:54:86:7A:B9:F8:53:20:BE:03:68:
                                55:8B:56:55:84:F8:D7:38
    Signature Algorithm: sha256WithRSAEncryption
         33:5f:6c:4b:6e:b5:de:5c:bc:5a:62:f4:93:7f:cc:c7:aa:4e:
         41:f1:b9:d6:48:58:ec:d9:8f:d8:66:26:f1:d0:5a:9e:3a:0c:
         35:bf:9c:9a:74:53:fe:b1:1a:32:a8:65:15:74:04:49:da:68:
         1e:db:ff:84:3e:58:14:f0:71:8e:25:1d:45:1e:28:3f:ea:17:
         16:4f:0b:51:04:c0:5d:c4:94:72:73:10:5f:4c:a8:4a:1a:a6:
         84:31:fa:b1:3b:f3:69:50:79:74:4b:0d:ca:6a:11:82:1f:bf:
         26:be:d7:35:3d:f1:ae:67:e8:c6:a5:56:21:36:7c:07:46:96:
         8e:83:b5:9d:27:16:ae:68:2e:48:94:57:f3:b0:ff:fe:f6:81:
         e6:c7:91:3c:36:5c:69:ac:02:0d:00:4b:e0:3c:9b:bf:2f:41:
         85:a8:c1:26:2c:6a:f5:fd:d3:06:02:b7:89:84:76:65:a9:22:
         88:67:1a:98:ee:8b:25:74:54:c5:4a:15:45:0f:7d:32:9f:d8:
         10:de:42:44:25:3d:65:1d:9d:98:f5:5b:b4:4e:08:44:ba:4c:
         1e:02:52:ff:c8:55:ba:f5:0c:8e:8c:d4:4a:e3:da:a0:1d:b4:
         b4:fb:13:2a:4c:2f:11:40:5c:02:81:e6:ec:2b:d2:66:1f:d2:
         68:a1:c1:0b

J’ajoute TLS1.3 - OpenSSLWiki :

root@mail:~ # /usr/bin/openssl ciphers -s -v ECDHE | grep "TLSv1.3" | column -t
TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD

TLS1.2

root@mail:~ # /usr/bin/openssl ciphers -s -v ECDHE | grep "TLSv1.2" | column -t
ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
ECDHE-ECDSA-AES256-CCM8         TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESCCM8(256)            Mac=AEAD
ECDHE-ECDSA-AES256-CCM          TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESCCM(256)             Mac=AEAD
ECDHE-ECDSA-ARIA256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ARIAGCM(256)            Mac=AEAD
ECDHE-ARIA256-GCM-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=ARIAGCM(256)            Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD
ECDHE-ECDSA-AES128-CCM8         TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESCCM8(128)            Mac=AEAD
ECDHE-ECDSA-AES128-CCM          TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESCCM(128)             Mac=AEAD
ECDHE-ECDSA-ARIA128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ARIAGCM(128)            Mac=AEAD
ECDHE-ARIA128-GCM-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=ARIAGCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384
ECDHE-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(256)           Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(256)           Mac=SHA384
ECDHE-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256
ECDHE-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(128)           Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(128)           Mac=SHA256

En parlant de certificats TLS, de sécurité et compagnies.

J’ajouterai une bêtise sur la configuration (essentielle) que tout le monde connaît :

Exemples de captures d’écran de configuration de Thunderbird :

Note de Moi-même le lendemain, le 20231113 : j’ai des erreurs, çà ne rentre plus en configurant le port 993 et çà ne part en port 587.

• SMTP on port 587 (pour le cryptage de la transaction entre votre ordinateur/smartphone et le serveur d’envoi - afin que personne au milieu ne puisse lire votre mot de passe transmis)

• imap on my port 993 (pour le cryptage de la transaction entre votre ordinateur/smartphone et le serveur recevant vos e-mails - afin qu’aucune personne intermédiaire ne puisse lire votre mot de passe transmis)

Commandes NMAP vérifiant les suites de chiffrement :

nmap --script ssl-enum-ciphers -p 143 imap.zw3b.eu -6
nmap --script ssl-enum-ciphers -p 993 imap.zw3b.eu -6
nmap --script ssl-enum-ciphers -p 25 smtp.zw3b.eu -6
nmap --script ssl-enum-ciphers -p 465 smtp.zw3b.eu -6
nmap --script ssl-enum-ciphers -p 587 smtp.zw3b.eu -6

J’ajoute ce lien web : Test SMTP with telnet or openssl

NdMoi-même 20231113 :

J’ai un truc cooL à lire : Postfix Configuration Parameters : #smtpd_tls_eecdh_grade
cet article → TLS Forward Secrecy in Postfix