Incoming 2 1 – Twitter Search Client

Whether or not you've signed up for Twitter, you have the power to perform detailed queries on the endless stream of Tweets by using the site's Advanced Search.The feature isn't behind a login and it doesn't take long to learn a few tricks to make your Twitter searches extremely effective. Multi-user login allows you to grant access to other users for your Twitter Ads account, helping you manage campaigns effectively and securely. You can grant different levels of permissions to multiple users, who will be able to then access your Twitter Ads account while logged into their own personal handle. Twitter doesn't state this, but you are likely to get banned if you unfollow people aggressively. I'd recommend sticking well under 400 unfollows per day. Max Characters for biography: 160: Max length of video uploads: 2'20' (140 seconds) MP4 video format with H264 format with AAC audio. Max upload of 512MB: Twitter In-Stream Photo Size: 1024x512px. Configure only once in the cloud and have settings downloaded into your device. Team Messaging Team messaging in a single window. Start 1:1 messages or chat rooms. Screen Sharing Share your desktop screen with a click to anyone on any device. Management Tools Access call analytics and help desk tools to administer your everyday operations.

1. Incoming 2 1 – Twitter Search Client Login
2. Incoming 2 1 – Twitter Search Client Access
3. Incoming 2 1 – Twitter Search Clients

With hackers around every corner, governments wants to read your emails, now a days encryption is a necessity. Now most major sites are only available on https, and more and more IM are using encryption. But what about and old protocol email that is still very popular and we cant go without it any more. How can we increase security for this?

Of course you can use S/MIME or PGP and have end to end encryption, but the problem that in transit between mail servers the from, to, cc, and subject fields are not encrypted. For this we can use Transport Layer Security (TLS) encryption between the smtp servers. Now in June 2018 from Google's perspective 89% outbound mails and 88% inbound mails are using encryption.

In this post I will show how I setup a smtp server running Postfix with TLS encryption and with the correct cyphers. So that email between smtp servers where possible is using strong email encryption.

Postfix mail daemon

First you need to know that postfix has separate mail daemons for handling different flow of mail. And each daemon is configured separately. So it is possible to accept weak ciphers but you only use strong ciphers when delivering mail to the out side.

The two that are responsible for handling mail in and out from the world are:

smtpd - The SMTP daemon process for handling incoming mail and delivering to the appropriate internal location.

smtp - The SMTP daemon process for delivering mail out to the world.

Default config test

Lets see first how good this default config is for incoming mail to the smtpd daemon. Normally I would test it with SSLLABS sadly this only can check https can't check smtp/STARTTLS. A alternative is immuniweb but we will use this later. There is also a shellscript self hosted tool on https://testssl.sh/ which can check your SSL/TLS settings and vulnerabilities of your mail server.

To test with testssl run the following after installing.

Below is a summery of the issues with the default postfix config on Ubuntu 16.04.

Lets see how we can fix these issues.

Trusted certificate

While it is not mandatory for mailserver to have a trusted certificate, now a day's it is easy and free to get one from LetsEncrypt. So request one and use it for Postfix. Make sure you use the fullchain, so that intermediates in the chain are also sent.

What about a client certificate for the smtp daemon? For this the readme from postfix is very clear http://www.postfix.org/TLS_README.html

Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them. The recommended setting is to let the defaults stand:

Disable SSL,TLSv1

After that we disable all SSL and TLSv1, allow only high ciphers for both smtp and smtpd. This will mitigate BEAST. And allow only high ciphers. And we want to negotiate the strongest available cipher available with the remote server.

Disable deprecated ciphers

And exclude some deprecated not so secure ciphers.

Use opportunistic encryption

With mailserver we want to use opportunistic encryption. We don't force encryption, If we do so this sounds secure but not all other mail servers supports encryption. So worse case scenario you will not receive from some other mail servers or be able to sent to some other mail server that dont support TLS.

This is also stated in RFC2487

A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure.

To set oppertunistic encryption enable the following settings.

Quoted from http://www.postfix.org/TLS_README.html

At the 'may' TLS security level, TLS encryption is opportunistic. The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the server. Otherwise, messages are sent in the clear. Opportunistic TLS can be configured by setting 'smtp_tls_security_level = may'.

With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.

You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting 'smtpd_tls_security_level = encrypt'. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.

We could also validate remote certificates for the smtp daemon with verify or secure like you would normal do with https in a browser, but with a mail server this is not common since the majority of them will fail validation due to poor setup. So you will lose emails if you use this.

With these settings we are still susceptible for a downgrade attack. This because is email has been invented in 1982 and SSL/TLS in 1999 so security needed to be adopted to an existing protocol to maintain backward compatibility. And we still want to be able to send and receive emails from legacy or poorly configured servers.

There are some options coming to solve these issues. Like mta-sts or a startssl policy list. But these are still very new and not broadly supported yet (June 2018). Maybe an other time I make a post about these.

Secure Client-Initiated Renegotiation

On a Ubuntu 16.04 with postfix version 3.1.0-3ubuntu0.3 and openssl version 1.0.2g-1ubuntu4.15 you can't solve this issue.

Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threat

But this is not a major issue.

The impact of TLS-based attacks on SMTP should not be over-stated. Presently, most SMTP clients don't verify the TLS certificates of SMTP servers. Such clients are already vulnerable to ordinary man-in-the-middle attacks, and TLS renegotiation introduces no new threats for them.

The Postfix SMTP server with OpenSSL is not affected by the TLS renegotiation attack that redirects and modifies SMTP mail, due to accidental details of the Postfix and OpenSSL implementations.

On Ubuntu 18.04 we have postfix 3.3.0-1ubuntu0.2 and openssl 1.1.1-1ubuntu2.1~18.04.4, with openssl 1.1.1 we can disable the renegotiation via a tls_ssl_option. Then the vulnerability is gone.

postfix 3.3

And in postfix 3.4 you can set it also without the hex code.

Test new config

After these settings, and you restart postfix and check again with testssl.sh, all issue's reported earlier are gone. Wit maybe the eception of the enegotiation issue depending of you postfix/openssl version.

immuniweb

An other tool you can test online with is from https://www.immuniweb.com/ssl/ these can also check mailservers, make sure you use :25 at the end of your hostname. With the above SSL/TLS settings for postfix you get an A or an A+, depending on your postfix and openssl version. If you are using this site, make sure to hit refresh after you changed your postfix config or else you will get cached results.

immuniweb will give the following warning. This is due to the fact that postfix doesn't support OCSP stapling. So we can not do anything about this, so we will ignore this. That is also one of the issues found in HIPAA COMPLIANT or NIST.

SERVER DOES NOT SUPPORT OCSP STAPLING

Check the logs / headers if it is working

How do I know when mail is delivered over TLS, you can ook in the
mail logs. But before this is logged, you need to enable the tls log level.

After that you will see something like this for an incoming mail daemon smtpd, in this case from google/gmail.

Incoming 2 1 – Twitter Search Client Login

And for an outgoing mail using the smtp daemon.

If you want the information in the email headers you can enable the following option.

Then if you view the headers of the email message you will see wich ciphers was used for this connection.

A oneliner to check how many connections with wich cyphers are made.

But if you want more real connections we need to filter out some internet search/scanning engine. So we filter shodan, immuniweb and internet-census. After that we notice that we only had TLSv1.2 connection!

After implementing these settings, your mailserver will exchange emails with other email server using high 'secure' encryption if possible.

Changelog

Update June 2018
Added mta-sts and startssl policy list info and links.

Update September 2019
Added oneliner.

Update September 2019
When I wrote this guide I had used Ubuntu 16.04 for testing. With Ubuntu 18.04 and Postfix, TLS 1.3 is also supported.

Update September 2019
Added /rewrite Secure Client-Initiated Renegotiation.

User Interface

Security

Privacy

Display

Audio

Connection

File Transfer

Recording

• 2Security
• 7Connection

User Interface

• Set language
• Show ID instead of Alias
• Hide local taskbar when window is maximized
• Ask for session comment after session

The session comment will be sent to the AnyDesk Portal linked to the current licence.

• Open Address Book on startup
• Display Accept Window on incoming chat message.

Each time a chat message arrives, the Accept Window will come to the foreground.

Security

Might need to be unlocked first (e.g. if AnyDesk is installed). This can be done by administrators only.

Interactive Access

Incoming session requests can either be automatically rejected or need user interaction.
In case Interactive Access is enabled, the Accept Window will be shown whenever an incoming session request arrives.
To start the session the request has to be accepted either by pressing 'Accept' in the Accept Window or by sending valid credentials (see Unattended Access).

There are three options for incoming session requests:

• Allow always
• Only allow when AnyDesk's main window is open
• Disable

Unattended Access

See Unattended Access.

immuniweb

An other tool you can test online with is from https://www.immuniweb.com/ssl/ these can also check mailservers, make sure you use :25 at the end of your hostname. With the above SSL/TLS settings for postfix you get an A or an A+, depending on your postfix and openssl version. If you are using this site, make sure to hit refresh after you changed your postfix config or else you will get cached results.

immuniweb will give the following warning. This is due to the fact that postfix doesn't support OCSP stapling. So we can not do anything about this, so we will ignore this. That is also one of the issues found in HIPAA COMPLIANT or NIST.

SERVER DOES NOT SUPPORT OCSP STAPLING

Check the logs / headers if it is working

How do I know when mail is delivered over TLS, you can ook in the
mail logs. But before this is logged, you need to enable the tls log level.

After that you will see something like this for an incoming mail daemon smtpd, in this case from google/gmail.

Incoming 2 1 – Twitter Search Client Login

And for an outgoing mail using the smtp daemon.

If you want the information in the email headers you can enable the following option.

Then if you view the headers of the email message you will see wich ciphers was used for this connection.

A oneliner to check how many connections with wich cyphers are made.

But if you want more real connections we need to filter out some internet search/scanning engine. So we filter shodan, immuniweb and internet-census. After that we notice that we only had TLSv1.2 connection!

After implementing these settings, your mailserver will exchange emails with other email server using high 'secure' encryption if possible.

Changelog

Update June 2018
Added mta-sts and startssl policy list info and links.

Update September 2019
Added oneliner.

Update September 2019
When I wrote this guide I had used Ubuntu 16.04 for testing. With Ubuntu 18.04 and Postfix, TLS 1.3 is also supported.

Update September 2019
Added /rewrite Secure Client-Initiated Renegotiation.

User Interface

Security

Privacy

Display

Audio

Connection

File Transfer

Recording

• 2Security
• 7Connection

User Interface

• Set language
• Show ID instead of Alias
• Hide local taskbar when window is maximized
• Ask for session comment after session

The session comment will be sent to the AnyDesk Portal linked to the current licence.

• Open Address Book on startup
• Display Accept Window on incoming chat message.

Each time a chat message arrives, the Accept Window will come to the foreground.

Security

Might need to be unlocked first (e.g. if AnyDesk is installed). This can be done by administrators only.

Interactive Access

Incoming session requests can either be automatically rejected or need user interaction.
In case Interactive Access is enabled, the Accept Window will be shown whenever an incoming session request arrives.
To start the session the request has to be accepted either by pressing 'Accept' in the Accept Window or by sending valid credentials (see Unattended Access).

There are three options for incoming session requests:

• Allow always
• Only allow when AnyDesk's main window is open
• Disable

Unattended Access

See Unattended Access.

Access Control List

• Limit access to your device by using a whitelist.
• Incoming session requests from IDs/Aliases that do not match at least one listed criterion will be blocked automatically.
• Wildcards are supported. For example to allow access from all members of a namespace called namespace add *@namespace to the list.

Updates

• Keep your AnyDesk client automatically up to date. This is not yet available for custom clients.
• Download updates and ask for installation.
• Disable auto-update.
• Beta version

Privacy

Incoming 2 1 – Twitter Search Client Access

User Name	A custom or user account name displayed in various locations.
User Image	A custom or user account image displayed in various locations, including the Accept Window. Can be disabled.
Desk Preview	A screenshot or wallpaper of your device displayed in the Address Book or the list of Recent Sessions of other AnyDesk clients. Can be disabled.
Screenshot Path	The path where to save screenshots made during a session.
Chat Log	The path where to save the chat log. Chat logging can be disabled from here.

Display

Quality	Choose between higher quality or a better reaction time.
Visual Helpers	These helpers give you better visibility of actions. Like: Show remote cursor Follow remote cursor Show move/size helper Transmit hotkeys
View Mode	Controls how the remote image is displayed locally: original size, shrinked or stretched. Choose if to start new sessions in fullscreen mode and if to use edge scrolling in original mode.
Hardware Acceleration	Choose your preferred renderer (OpenGL/Direct3D/DirectDraw) or disable acceleration. You can also choose to reduce the rendering to 16bit.
Individual Settings	Save settings for each desk or reset them after AnyDesk is restarted.

Audio

More information on AnyDesk Audio can be found by clicking here.

Connection

Direct Connection

Direct connections are usually faster than those using a server to communicate. However, in some network environments the connection may be closed after some time,for example because of firewall interaction. Disable direct connections in the settings to avoid unexpected session ends.

Local Port Listening

For direct connections in the local network TCP Port 7070 is used for listening by default. This port is opened when installing AnyDesk.To specify a custom port go to Settings » Connection. (Must be set for all clients.)

HTTP-Proxy

AnyDesk supports using a Proxy Server. Available working modes are:

• disabled
• determined automatically (Proxy Auto-Config / PAC)
• specified
  

• IP
• Port
• Authentification

Note: The Proxy must support CONNECT Method. Authentification can be done with basic access and digest access. NTLM is supported in the current beta.

File Transfer

See File_Manager_and_File_Transfer.

Recording

Incoming 2 1 – Twitter Search Clients

See Session Recording.