On Wed, Dec 23, 2009 at 03:58:32PM +0100, Christoph Anton Mitterer wrote:

> Regarding TLS ciphers for SMTP client and server and this aNULL thingy.
>
> I was not really able to find some more information about this on the web.
>
> What does it mean exactly? What is the issue with anonymous ciphers?

The "aNULL" "thingy" automatically inter-operates with all known (since
support was introducted in Postfix 2.3 ~4 years ago) MTAs.

If certificate verification is enabled in Postfix, Postfix automatically
disables aNULL ciphers. You don't need to explicitly take any action to make
aNULL ciphers work.

Anonymous ciphers are only used when neither end of the connection
performs any certificate verification. The other party is expected
to not include aNULL ciphers in its cipher-list when it is going
to (request if a server and) verify a certificate.

Because aNULL ciphers are disabled by default in SSL toolkits, only
software that is explicitly willing to skip certificates enables
aNULL ciphers. This includes Postfix when certificate checks are
configured.

So everything works automatically, manual invervention to exclude aNULL
ciphers has not yet been required in any practical configurations. The
cipher exclusion lists are there "just in case" something unexpected
happens with a particular set of ciphers, perhaps a security issue,
or a new interoperability problem.

Since aNULL ciphers are less widely used than those that involve RSA
certificates, the documentation highlights the cases in which they are
left enabled and those in which they are automatically disabled (because
certs are needed on the local end). If something unexpected happens
you can augment the automatic policy with manual overrides.

You should never need the manual overrides. "Emergencies" aside
(actual interoperability problems with mandatory TLS destinations,
or TLS-only clients or cipher specific problems in OpenSSL), you
are expected to NOT waste time playing with OpenSSL ciphers in
Postfix. The cipherlist interface in OpenSSL is very subtle,
this is not an area for experimentation.

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to