On Mon, Mar 01, 2010 at 11:09:08PM -0500, Alex wrote:
> I have an existing old postfix TLS server set up and working
> successfully. It was created several years ago and has been working
> fine ever since.
You don't have to upgrade Postfix.
> I'm wondering what the benefits would be with
> upgrading? In other words, I realize I can only support SSLv2,
Most unlikely. I am not aware of any legacy versions of Postfix that
support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
support is sufficiently modern and robust.
> but are there other security designs and technologies that I would be
> encouraged to be able to support?
You should however upgrade OpenSSL to at least 0.9.8m, as many OpenSSL
security issues have been addressed in the mean-time.
If you legacy Postfix is linked with OpenSSL 0.9.7x, then and only then
do you need to upgrade both (re-compile Postfix with OpenSSL 0.9.8).
OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
strongly recommend OpenSSL 1.0.0 over 0.9.8.
> What encryption/cipher/key length, session key options, etc, choices
> should I be making if I were to do this today?
Use the default settings.
> Under what circumstances would you want to choose only TLSv1 and not
> SSLv3 and TLSv1?
Use the default settings. With sufficiently recent versions of Postfix
the default is to disable SSLv2 in the SMTP client:
smtp_tls_protocols = !SSLv2
if your Postfix supports this parameter, it already defaults to this
value.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
