On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and
> among other things sslscan reported that the server allows a (non-EC)
> DH exchange with only 1024 bits.
The Postfix SMTP server uses whatever DH parameters are configured by
the administrator. With default settings, the Postfix SMTP server uses
a built-in 2048-bit group.
The Postfix SMTP client accepts whatever DH group is accepted by OpenSSL
at the ambient OpenSSL "security level". For opportunistic TLS (Postfix
TLS security level "may"), and unauthenticated mandatory TLS (Postfix
TLS security level "encrypt") the OpenSSL security level is set to 0,
which will indeed (IMNSHO, correctly) accept 1024-bit DH.
Since with "may" even cleartext delivery is acceptable, it is
unreasonable to argue that 1024-bit DH is not good enough, it is
definitely stronger than cleartext.
With "encrypt" the connection is not immune to active MiTM attacks, so
any concerns around downgrades hrough weaker DH are misplaced, the
attacker can just terminate TLS, with no special effort to "impersonate"
the target server. So again 1024-bit DH (if presented by the remote
server is quite sufficient).
At Postfix TLS security levels that actually authenticate the remote
peer, the OpenSSL security level is set to 1, which means crypto
parameters with an equivalent symmetric key size of 80 bits. Yes,
this still accepts 1024-bit FFDH groups.
Perhaps the SSL security level for authenticated destinations could be
configurable, with level 2 (112-bit symmetic ~ 2048-bit RSA/DH) an
available option. But frankly, I am very sceptical of fears that
an effective and cost-efective realtime MiTM attack against 80-bit DH
is a practical concern for SMTP.
> While one solution would be to only
> allow ECDH(E) and disable DH(E) entirely, I would rather like to keep
> support for DH(E) for compatibility reasons but only enforce a lower
> limit on the size of the finite group (maybe 2048 bit, or even 3072
> bits preferably). How do I do that with Postfix? I cannot find any
> smptd_tls_... setting which seems related to that aspect.
There is no such setting, and I'd like to politely suggest that your
time is better spent elsewhere. Many real security issues to attend to,
while 1024-bit DH is not one of them.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
