On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:
> > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
> > attribute in the Postfix policy table.
>
> Thanks, that worked (postfix 2.8.13):
>
> policy_table:
> [mxtls.allianz.com] verify protocols=SSLv3:TLSv1
With the destination domain in [], or when "match=..." is explicitly
specified, the "verify" and "secure" levels are identical, otherwise
I would probably shun "verify" and use "secure" with explicit "match"
clauses as required.
> Currently I fear, that other partners might be also affected about this.
> Now the queues are almost empty but most traffic with other mandatory
> TLS partner sites will start to continue during work hours Mo-Fr and
> I'll be out of office for a week. What do you think about deactivating
> v1.1 and v1.2 globally?
Unlikely to cause any harm, and may help with some destinations.
You lose support for AEAD modes which protect against "CRIME" and
"BEAST", but those attacks are browser-specific.
> smtp_tls_mandatory_protocols = !SSLv2
> smtp_tls_protocols = !SSLv2
>
> Suggestion:
> smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
> smtp_tls_protocols = !SSLv2
You can set both the same for now. Ideally there'll be some pressure
on sites with broken TLSv1.2 (TLSv1.1 is a far more modest change)
to get their implementations upgraded. But if you have critical
traffic, it may be reasonable to be conservative in what you send...
> Will this work or are we expected to run into other compatibility issues
> with that from your experience?
TLSv1 is tried and true and largely sufficient, it is a very safe choice.
> P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
> which also seems to work fine:
>
> # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
> libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0
> libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0
>
> Am I right concluding that this won't require a postfix rebuild on new
> openssl 1.0.x versions?
I can't speak for the stability of the OpenSSL ABI. It is *supposed*
to work, whether it will, only time will tell. Many other users will
rely on this stability on systems where 1.0.0 or 1.0.1 is the default
OpenSSL library:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
$ ldd $(type -p openssl) |
grep /usr/lib |
awk '{printf "%-20s %s\n", $1,$3}'
libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
libcrypto.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
--
Viktor.
