Trouble with enabling TLS on Postfix

Transcript

1. POSTFIX ͷ TLS ԽͰࠔͬͨ࿩ ͱ͋Δ Πϯϑϥ԰ ͕ 2017-02-03 21Caffe @

   intra_security#2 LT

2. TEXT ࣗݾ঺հ ▸ ໊લ: Hirofumi Hida ▸ ΠϯϑϥΤϯδχΞ(UnixΛओʹ) ▸ SI

   ͷݱ৔ʹ์Γࠐ·ΕͨΓ (ࠓ೔ͷ࿩) ▸ Ops ΋΍ͬͨΓ(ͲͪΒ͔ͱ͍͏ͱ͍·͸͕ͬͪ͜޷͖) ▸ Twitter: @gekko_qv ▸ Qiita: http://qiita.com/hirofumihida

3. TEXT ·͓͖͑ ▸ Postfix ͱ͸ ▸ MTA mail transfer agent

   ▸ smtpd αʔόʔͰϝʔϧΛड͚औͬͯ ▸ smtp ΫϥΠΞϯτͰྡͷ MTA ʹϝʔϧΛసૹ ▸ TLS ͱ͸ ▸ ௨৴ͷ҉߸Խ Transport Layer Security ▸ ࠓճ͸ ྡͷMTA΋͘͠͸ϝʔϥʔ ͔Β smtpd αʔόʔ ·ͰͱɺsmtpΫϥΠ Ξϯτ ͔Β ྡͷsmtpdαʔόʔ ͕ؒ TLS (҉߸)Խର৅

4. TEXT ࠔͬͨ͜ͱ 1/4 ▸ ࣗ෼͕ postfix ΋ ϝʔϧηΩϡϦςΟ ΋Α͘஌Βͳ͍ ▸

   ͳΜͰͦΜͳਓؒΛϝΠϯͰΞαΠϯʁ ▸ ׬શʹձ͔ࣾΒແ஡ৼΓ͞Εͨײ…Ͱ΋ ▸ Ғ͍ਓʮࣄલௐࠪ(?)͸ऴΘͬͯΔ͔Βେৎ෉ʯ w w w w w w w w w w w w w w w ▸ ࢲʮྑ͔ͬͨɻָͳ࢓ࣄʹͳΓͦ͏ͩͳɻɻʯ ▸ ࢲʮͰ͸ɺݱঢ়ͷ֬ೝΛͯ͠ΈΑ͏͔ɻʯ

5. TEXT ࠔͬͨ͜ͱ 2/4 ▸ OpenSSL ͕ݹ͗͢Δʂ ▸ Heart Bleed Ͳ͜ΖͰ͸ͳ͍

   ▸ TLS1.2 ͢Β஻Εͳ͍ʂ ▸ ͕͢͞ʹ͜Ε͸όʔδϣϯ্͛ͯ΋Β͑ͨɻ

6. TEXT ࠔͬͨ͜ͱ 3/4 ▸ ΍ͬͨͱݴΘΕͨࣄલௐࠪ ▸ ࣮ػΑΓݹ͍όʔδϣϯͷ೔ຊޠυΩϡϝϯτ͔֬͠ೝ͠ ͯͳ͔ͬͨɻɻ ▸ ݁ہઃఆύϥϝʔλʔݟ௚͠ɻɻ

   ▸ ݕূ΋΍Γ௚͠ɻɻ ▸ ͦͷ͓͋ΓͰɻɻ

7. TEXT ࠔͬͨ͜ͱ 4/4 ▸ ΤΠδϯάظ͕ؒͳ͍ɻɻ ▸ TLS Ωϟογϡ DB ͕ංେԽ͢Δ৚݅΍܏޲͕͋΍;

   ΍ɻɻ ▸ ͷͪʹ RFC5077 ͷଘࡏΛ஌Δ΋࣌͢Ͱʹ஗͠ ▸ TLS1.2 ಉ࢜ͳΒ૿͑ͳ͍͕ɺSSLv3 ͱ௨৴͢Δͱ૿͑ ΔͬΆ͍ʁ

8. TEXT RFC5077 ͱ͸ʁ ▸ Transport Layer Security (TLS) Session Resumption

   without Server-Side State ▸ https://tools.ietf.org/html/rfc5077 ▸ ৄ͘͠͸ https://techblog.yahoo.co.jp/infrastructure/ssl-session- resumption/

9. TEXT ڭ܇ ▸ૉਓ͚ͩͰηΩϡϦςΟҊ݅ʹؔΘΒͳ͍ํ͕ྑ͍ ▸Postfix ؚΊɺιϑτ΢ΣΞ͸ग़དྷΔ͚ͩ࠷৽൛Λ࢖͓͏ ▸Postfix ͸ݹͯ͘΋ RFC5077 ରԠͷ 2.11

   Ҏ߱Λ࢖͓͏ ▸࣮ػͱಉҰόʔδϣϯͷΦϦδφϧυΩϡϝϯτ(Ұ࣍৘ ใ)Λ֬ೝ͠Α͏ ▸ͦΕ͕ӳޠ൛͔͠ͳͯ͘΋

10. TEXT ͓ΘΓ ▸ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ :)