Blog

Advertise

Directory
DarkHunt Logo

Blog

Advertise

Directory



Preventing man-in-the-middle attacks on fetchmail and postfix


First of all, you need to download the server certificate: Then copy the output of that command to a file, say gmail.out , and extract its md5 fingerprint: Once you have the fingerprint, add it to your ~/.fetchmailrc : Postfix - Similarly, ...


Onion Details


Page Clicks: 0

First Seen: 03/11/2024

Last Indexed: 10/21/2024

Domain Index Total: 195


Onion Content


Recent attacks against the DNS infrastructure have exposed the limitations of relying on TLS/SSL certificates for securing connections on the Internet. Given that typical mail servers don't rotate their keys very often, it's not too cumbersome to hardcode their fingerprints and prevent your mail software from connecting to them should the certificate change. This is similar to how most people use ssh: assume that the certificate is valid on the first connection, but be careful if the certificate changes afterwards. Fetchmail Here's how to specify a certificate for a POP/IMAP server (Gmail in this example). First of all, you need to download the server certificate: openssl s_client -connect pop.gmail.com:995 -showcerts openssl s_client -connect imap.gmail.com:993 -showcerts Then copy the output of that command to a file, say gmail.out , and extract its md5 fingerprint: openssl x509 -fingerprint - md5 -noout -in gmail.out Once you have the fingerprint, add it to your ~/.fetchmailrc : poll pop.gmail.com protocol pop3 user " remoteusername " is " localusername " password " mypassword " fetchall ssl sslproto ssl3 sslfingerprint " 12:34:AB:CD:56:78:EF:12:34:AB:CD:56:78:EF:12:34 " Postfix Similarly, to detect changes to the certificate on your outgoing mail server (used as a smarthost on your local postfix instance), extract its sha256 fingerprint: openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts openssl x509 -fingerprint -sha256 -noout -in isp.out Then add the fingerprint to /etc/postfix/main.cf : relayhost = smtp.gmail.com smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_tls_security_level = fingerprint smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_fingerprint_digest = sha256 smtp_tls_fingerprint_cert_match = 12:34:AB:CD:56:78:EF:90:12:AB:CD:34:56:EF:78:90:AB:CD:12:34:AB:DD:44:66:DA:77:CF:DB:E4:A7:02:E1 Add a comment


IMPORTANT

By using this website, you agree to our Terms and Conditions. The content is for educational purposes only. Please use it at your own risk.