On Tue, Mar 02, 2010 at 01:15:17PM -0500, Alex wrote:
> > Most unlikely. I am not aware of any legacy versions of Postfix that
> > support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
> > support is sufficiently modern and robust.
>
> I'm not happy saying that it's probably older than that.
Older versions of Postfix still support SSLv3 and TLSv1, but the TLS
code in Postfix in those releases has some warts, so if you want more
than opportunistic TLS support, you need 2.3 or later.
> > OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
> > strongly recommend OpenSSL 1.0.0 over 0.9.8.
>
> Will it be compatible with other programs compiled against 0.9.*?
Source-compatible: yes. Binary-compatible: no. Code needs to be
re-compiled to run with OpenSSL 1.0.0.
> >> What encryption/cipher/key length, session key options, etc, choices
> >> should I be making if I were to do this today?
> >
> > Use the default settings.
>
> How can I found out what those defaults are? Is this what I should
> expect to see on a modern implementation?
Postfix settings are documented in postconf(5). Unless you are an SSL
expert who understands OpenSSL source code in detail, you really should
not change the default settings, and generally don't need to know what
they are.
> Mar 1 00:00:39 smtp0 postfix/smtp[6676]: TLS connection established
> to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
>
> Is that a characteristic of the certificate that was created or how
> postfix was compiled or otherwise?
The remote system or your OpenSSL library or both do not support AES.
AES support in OpenSSL was added in OpenSSL 0.9.7. If you have OpenSSL
0.9.6, you lack modern ciphers and have a bunch of unfixed SSL security
issues.
Bulk encryption cipher-suites have only a tangential connection to
certificates. The same certificate would have worked with AES256,
if both sides supported it.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
