[BlueOnyx:14319] Recent BlueOnyx answered

Michael Stauber mstauber at blueonyx.it
Tue Jan 28 12:06:06 -05 2014 

Hi all,

Greg created http://compassnetworks.uservoice.com/ as a place where
people could request features and products they want to see in the store.

However, messages about feature requests for BlueOnyx started to pop up
there. Which is not really the right place for that. Please post feature
requests to this mailing list.

Here are some answers on the topics that have been asked:

1.) Review of SSL implementation for email related services on BlueOnyx:

A few months ago I reviewed and improved the SSL support for Apache in
BlueOnyx and announced that I'd also review the email related SSL
implementations (SMTPS, POP3S, IMAPS). I did, but didn't post the results.

To clear that up, here are my findings: It's all good. No immediate
action necessary.

You can test it yourself from a Linux prompt:

openssl s_client -connect <IP>:465 -crlf
openssl s_client -connect <IP>:993 -crlf
openssl s_client -connect <IP>:995 -crlf

That's for SMTPS, POP3S and IMAPS. A part of the response has all the
relevant data:

---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
6BA3DB6BEC3B7B81D0C48388B0E131BBF1B5ECA5ABDFCF28FA0DDB466D7D706B
    Session-ID-ctx:
    Master-Key:
920C8AD27368AC105BF7952BE73207CFA79A1D7826770E8A9F8F4F30E4933E7C6D37EDF44A068CCE1BEE0A076A04822A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1390926649
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

So our SSL implementation for SMTPS, POP3S and IMAPS uses the protocol
TLSv1 and the Cipher DHE-RSA-AES256-SHA (Diffie-Hellman RSA AES256 with
SHA checksum). The certificate is a 2048-bit one, provided you're not
using a really old certificate from ages ago before we switched to 2048-bit.

That's about as good as it gets and leaves little room for improvement.

Sure, TLSv1.2 would be better, but as it is it's not yet fully supported
by the underlying architecture.

2.) Restart email services when server SSL updated

> Q: When the server's SSL certificate is updated it restarts Apache
> and the management interface but it doesn't restart sendmail or
> dovecot.

Generally Sendmail and Dovecot only need to be restarted if the SSL
certificate for the server (i.e.: The SSL cert for the GUI) is updated.
Cert changes on Vsites don't affect the email related SSL certificate,
as the server cert is used for all email related services.

The mandatory restart of email related services on server cert changes
has been added seven weeks ago and is available in the patches in the
Testing repository. However, I just tested it and it's not yet fully
working. I'll fiddle with it some more and have it fixed before the
testing patches are moved to the production repository.

3.) Add AAAA records to DNS

> It would be fantastic if we could add IPv6 records to DNS on BlueOnyx

Yeah, it is on the list. However, the more I need to fiddle with fixing
things or extending functionality, the more the release of the new GUI
will be pushed further into the future. Therefore I don't want to add
new DNS functionality until after the release of the new GUI.

Anything else? Post it here and it'll get answered.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list