I am running Postfix mail-mta/postfix-3.8.5 with dev-libs/openssl-3.0.13. If I correctly understood my Postifx server should not use a FF group with 1024 bits, but at least 2024 bits. (References to the docs are given below.)
So the question still stand, how do I ensure that Postfix uses at least 2048bit DH, if TLS 1.2 and FFDH have been negotiated? > You are assessing opertunistic TLS? Ignore it. Unfortunately not. Yes, we are speaking about oppertunistic TLS as I am looking at my mail server in the role of an SMTP server for incoming mails from the public Internet. I must not make TLS encryption mandatory, as there are still a lot of (legacy) systems out there which do not support TLS (unfortunately). For the same reason, I don‘t want to disable FFDH completely as there are even more legacy servers on the public Internet which still do not support EC. At the same time, I have to meet certain legal regulations which mandate a minimum crypthographic strength. So while it is seemingly fine to not use TLS at all on the one hand, TLS must meet certain minimal requirements if it is used on the other hand. I mean I also disable SSL 3.0, TLS 1.0 and TLS 1.1 and only allow TLS 1.2 or 1.3 besides plain transport. From a technical perspective one could also argue that leaving SSL 3.0 and TLS <1.2 enabled is still better than plain transport. I wonder whether setting `smtpd_tls_dh1024_param_file` to a custom 2048-bit DH group would help? But from my understanding of the docs that should not be necessary as Postfix 3.8.5 uses a built-in 2048bit group if left empty. PS: As of January 2024, the German BSI has tighten its recommendation for asymmetric algorithms over finite fields to at least 3000 bits (i.e. RSA encryption, RSA signatures and FFDH). See „FFDHE Server support“ in https://www.postfix.org/FORWARD_SECRECY_README.html#quick-start > In Postfix < 3.8, or OpenSSL prior to 3.0, FFDHE for TLS 1.2 or below > works "out of the box" [...] > > The built-in default Postfix FFDHE group is a 2048-bit group as of > Postfix 3.1. You can optionally generate non-default Postfix SMTP server > FFDHE parameters [...], but this is not [...] recommended. Just leave > "smtpd_tls_dh1024_param_file" at its default empty value. > > The set of FFDHE groups enabled for use with TLS 1.3 becomes > configurable with Postfix ≥ 3.8 and OpenSSL ≥ 3.0. The default setting > of "tls_ffdhe_auto_groups" enables the RFC7919 2048 and 3072-bit groups. In https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file > File with DH parameters that the Postfix SMTP server should use with > non-export EDH ciphers. > > With Postfix ≥ 3.7, built with OpenSSL version is 3.0.0 or later, if the > parameter value is either empty or "auto", then the DH parameter > selection is delegated to the OpenSSL library [...] Custom local > parameters are no longer recommended when using Postfix ≥ 3.7 built > against OpenSSL 3.0.0. > > [...] As of Postfix 3.1, the compiled-in default prime is 2048-bits, and > it is not strictly necessary, though perhaps somewhat beneficial to > generate custom DH parameters. In https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups > The default list of FFDHE groups that Postfix enables in OpenSSL 3.0 > and up includes just the 2048 and 3072-bit groups. [...] > > Setting this parameter empty disables FFDHE support in TLS 1.3. Whether > FFDHE key agreement is enabled in TLS 1.2 and earlier depends on whether > any of the "kDHE" ciphers are included in the cipherlist. > > This feature is available in Postfix 3.8 and later, when it is compiled > and linked with OpenSSL 3.0 or later. Am Samstag, 23. März 2024, 13:02:05 CET schrieb Bastian Blank via Postfix-users: > On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users > wrote: > > I am currently assessing the TLS security of a Postfix mail server and > > among other things sslscan reported that the server allows a (non-EC) DH > > exchange with only 1024 bits. While one solution would be to only allow > > ECDH(E) and disable DH(E) entirely, I would rather like to keep support for > > DH(E) for compatibility reasons but only enforce a lower limit on the size > > of the finite group (maybe 2048 bit, or even 3072 bits preferably). How do > > I do that with Postfix? I cannot find any smptd_tls_... setting which seems > > related to that aspect. > > You are assessing mandatory TLS? Then disable non-ECDHE. > > You are assessing opertunistic TLS? Ignore it. > > Bastian > > _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
