On Wed, Dec 23, 2009 at 03:58:32PM +0100, Christoph Anton Mitterer wrote: > Regarding TLS ciphers for SMTP client and server and this aNULL thingy. > > I was not really able to find some more information about this on the web. > > What does it mean exactly? What is the issue with anonymous ciphers?
The "aNULL" "thingy" automatically inter-operates with all known (since support was introducted in Postfix 2.3 ~4 years ago) MTAs. If certificate verification is enabled in Postfix, Postfix automatically disables aNULL ciphers. You don't need to explicitly take any action to make aNULL ciphers work. Anonymous ciphers are only used when neither end of the connection performs any certificate verification. The other party is expected to not include aNULL ciphers in its cipher-list when it is going to (request if a server and) verify a certificate. Because aNULL ciphers are disabled by default in SSL toolkits, only software that is explicitly willing to skip certificates enables aNULL ciphers. This includes Postfix when certificate checks are configured. So everything works automatically, manual invervention to exclude aNULL ciphers has not yet been required in any practical configurations. The cipher exclusion lists are there "just in case" something unexpected happens with a particular set of ciphers, perhaps a security issue, or a new interoperability problem. Since aNULL ciphers are less widely used than those that involve RSA certificates, the documentation highlights the cases in which they are left enabled and those in which they are automatically disabled (because certs are needed on the local end). If something unexpected happens you can augment the automatic policy with manual overrides. You should never need the manual overrides. "Emergencies" aside (actual interoperability problems with mandatory TLS destinations, or TLS-only clients or cipher specific problems in OpenSSL), you are expected to NOT waste time playing with OpenSSL ciphers in Postfix. The cipherlist interface in OpenSSL is very subtle, this is not an area for experimentation. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.