[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

Thu, 29 Feb 2024 23:59:09 -0800 

Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: 


# grep tls main.cf | grep -vE '^#'



smtp_tls_security_level = encrypt
smtpd_tls_ask_ccert = yes
smtpd_tls_CApath = $smtp_tls_CApath


Not generally applicable.



I agree. Therefore my comment to not take it blindly. What is good for 
the partiuclar server where I took this from, may not be suitable for 
everyone.



smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
smtp_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
smtpd_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1


Obsolete syntax.


This config has history...


tls_random_source = dev:/dev/urandom
smtpd_tls_eecdh_grade = auto


Best defaulted.


smtp_tls_CApath = /etc/ssl/certs


Pointless except when the security level is "secure" (or "verify").



You deleted the smtp_tls_policy_maps setting where this may or may not 
make sense for users...



tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384;


Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers,
which are fine to use.


From the OpenSSL man page:
---snip---
aNULL

The cipher suites offering no authentication. This is currently the 
anonymous DH algorithms and anonymous ECDH algorithms. These cipher 
suites are vulnerable to "man in the middle" attacks and so their use is 
discouraged. These are excluded from the DEFAULT ciphers, but included 
in the ALL ciphers. Be careful when building cipherlists out of 
lower-level primitives such as kDHE or AES as these do overlap with the 
aNULL ciphers. When in doubt, include !aNULL in your cipherlist.

---snip---


As I said, this should not be taken blindly. Best is to adapt it to the 
local security guidelines.


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF



Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org























					Reply via email to