Restriction of the list of allowed TLS protocols [Kaspersky Secure Mail Gateway]

[Egor Erastov]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

 

Which TLS protocols are allowed by default

By default, the following TLS protocols are allowed in Kaspersky Secure Mail Gateway 2.1 for SMTP data transfer:

TLS security mode	Protocols
Attempt TLS Encryption	Crypto-Policy = DEFAULT (by default) TLS 1.2, TLS 1.3 are allowed. TLS 1.0, TLS 1.1, SSL 2.0/3.0 protocols are not allowed. The possibility of unencrypted data transfer in SMTP sessions (plain text) is also allowed. in SMTP-session (plain text). The sender decides whether to encrypt or not. Crypto-Policy = LEGACY TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 are allowed. SSL 2.0/3.0 protocols are not permitted. The possibility of unencrypted data transfer in SMTP sessions (plain text) is also allowed. in SMTP-session (plain text). The sender decides whether to encrypt or not. Configuration file parameters smtpd_tls_protocols, smtpd_tls_exclude_ciphers smtp_tls_protocols, smtp_tls_exclude_ciphers
Require TLS Encryption	Crypto-Policy = DEFAULT (by default) TLS 1.2, TLS 1.3 are allowed. TLS 1.0, TLS 1.1, SSL 2.0/3.0 protocols are not allowed. The use of unencrypted data mode is not allowed. Crypto-Policy = LEGACY TLS 1.2, TLS 1.3 are allowed. TLS 1.0, TLS 1.1, SSL 2.0/3.0 protocols are not allowed. The use of unencrypted data mode is not allowed. Configuration file parameters smtpd_tls_mandatory_protocols, smtpd_tls_mandatory_exclude_ciphers smtp_tls_mandatory_protocols, smtp_tls_mandatory_exclude_ciphers

TLS-security mode is configured separately for receiving and for transmitting messages in the parameters of the built-in MTA, more details in the documentation: Configuring TLS for KSMG (kaspersky.com)

If necessary, you can change the list of forbidden protocols and encryption algorithms for Attempt TLS Encryption mode by manually modifying the configuration files of the built-in MTA from the technical support mode. It is not recommended to change the list of allowed protocols for the strict mode. 

By default, Rocky Linux 9 has a DEFAULT policy that prohibits the use of protocols below TLS 1.2. If you want to allow such protocols, you must first change the policy to LEGACY. In addition to protocols, the system policy limits the minimum key length and the list of encryption algorithms, more details in the documentation.

Procedure for changing the system encryption policy

To change the system encryption policy, perform the following procedure:

1) Connect to the cluster node via SSH to access technical support mode.

2) Check the current encryption policy set at the operating system level:

update-crypto-policies --show

3) If necessary, change the policy to LEGACY, using the command:

update-crypto-policies --set LEGACY

4) To apply the system policy on the embedded MTA, restart the service using the command:

systemctl restart postfix

5) Check the status of the postfix service, it should be running:

systemctl status postfix

This completes the procedure. The described steps must be repeated on each node in the cluster.

Note: If you want to switch back to the DEFAULT policy, perform the same procedure by specifying DEFAULT instead of LEGACY in step 3 of the command.

How to change the list of prohibited TLS protocols

To change the list of forbidden TLS protocols for Offer TLS encryption mode, perform the following procedure:

1) Connect to the cluster node via SSH to access technical support mode.

2) Navigate to the directory where the embedded MTA configuration file templates are located:

cd /opt/kaspersky/ksmg-appliance-addon/share/templates

3) Back up the main.cf.template file if you haven't done so before:

cp -p main.cf.template main.cf.template.backup

4) Open the main.cf.template file for editing with a text editor:

vim main.cf.template

5) Configure parameters for receiving messages - find lines with directives smtpd_tls_protocols and smtpd_tls_exclude_ciphers, add protocols and algorithms you want to exclude to the list:

Example: If you want to disallow the use of TLS 1.0:

smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1

Example: If you want to prohibit the use of TLS 1.0 and TLS 1.1:

smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Example: If you want to prohibit the use of anonymous ciphers:

smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, aNULL

Example: If you want to prohibit the use of anonymous ciphers and the RC4 encryption algorithm:

smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, aNULL, RC4

6) Configure parameters for sending messages - find lines with directives smtp_tls_protocols and smtp_tls_exclude_ciphers, add protocols and algorithms you want to exclude to the list:

Example: If you want to prohbit the use of TLS 1.0:

smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1

Example: If you want to prohibit the use of TLS 1.0 and TLS 1.1:

smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Example: If you want to prohibit the use of anonymous ciphers:

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, aNULL

Example: If you want to prohibit the use of anonymous ciphers and the RC4 encryption algorithm:

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, aNULL, RC4

7) Save the changes in the main.cf.template file

😎 To apply the changes to the template, change some setting of the built-in MTA via the web interface. For example, you can increase the value of the Message Size Limit setting by one (Options - Embedded MTA - Main Settings), save the changes, and then revert the previous value back.

9) Verify that the changes are in the main configuration file of the embedded MTA by running the command:

postconf smtpd_tls_protocols smtpd_tls_exclude_ciphers smtp_tls_protocols smtp_tls_exclude_ciphers

10) Check the status of the postfix service, it should be running:

systemctl status postfix

This completes the procedure. The described steps should be repeated on each node of the cluster.