On Sat, Mar 23, 2024 at 03:58:15PM +0100, Matthias Nagel via Postfix-users
wrote:
> So the question still stand, how do I ensure that Postfix uses at
> least 2048bit DH, if TLS 1.2 and FFDH have been negotiated?
As an SMTP server, Postfix uses a 2048-bit build-in group, or else
whatever group you configured in its place. The current recommendation
is to use the built-in group. With OpenSSL 3.0, and "auto" for the DH
params, the Postfix SMTP srever lets OpenSSL choose a group that matches
the server's private key strength.
> Unfortunately not. Yes, we are speaking about oppertunistic TLS as I
> am looking at my mail server in the role of an SMTP server for
> incoming mails from the public Internet. I must not make TLS
> encryption mandatory, as there are still a lot of (legacy) systems out
> there which do not support TLS (unfortunately). For the same reason, I
> don‘t want to disable FFDH completely as there are even more legacy
> servers on the public Internet which still do not support EC. At the
> same time, I have to meet certain legal regulations which mandate a
> minimum crypthographic strength. So while it is seemingly fine to not
> use TLS at all on the one hand, TLS must meet certain minimal
> requirements if it is used on the other hand.
These are of course inane, it is up to the sending client to set a
reasonable floor, the server just has to offer a high enough ceiling.
https://www.postfix.org/TLS_README.html#client_tls_limits
> I mean I also disable SSL 3.0, TLS 1.0 and TLS 1.1 and only allow TLS
> 1.2 or 1.3 besides plain transport. From a technical perspective one
> could also argue that leaving SSL 3.0 and TLS <1.2 enabled is still
> better than plain transport.
There are good reasons to disable SSL 2.0, because it is no longer
needed for interop, and exposes servers to potential cross-protocol
attacks such as DROWN. Similarly, SSL 3.0 is also not needed for
interop, though the risk of issues is much lower, it is basically TLS
1.0 without extensions.
Disabling TLS 1.0 and TLS 1.1 is a judgement call. There is little
practical risk to SMTP, and a dwindling minority of senders still
only do TLS 1.0, but these are quite rare now.
> I wonder whether setting `smtpd_tls_dh1024_param_file` to a custom
> 2048-bit DH group would help?
It would force the use of that group, which would typically be accepted
by the client, but perhaps (speculatively) some accept only the RFC3526
groups?
> But from my understanding of the docs that should not be necessary as
> Postfix 3.8.5 uses a built-in 2048bit group if left empty.
Yes, with OpenSSL 1.1.1. But with 3.0, the default is "auto", which
will use of the RFC DH groups based on the certificate strength,
typically also 2048-bit.
> PS: As of January 2024, the German BSI has tighten its recommendation
> for asymmetric algorithms over finite fields to at least 3000 bits
> (i.e. RSA encryption, RSA signatures and FFDH).
With little thought about the opportunistic TLS use-case.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
