On Wed, Sep 11, 2013 at 01:26:25PM +0200, Ralf Hildebrandt wrote:
> > Anyone has tested such server in real life ?
> >
> > http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
>
> I finally got around reading this.
>
> I wonder if it should be more strict regaring the used ciphers (both
> in Postfix and Dovecot), given that it's for self-hosting only.
With opportunistic TLS, reducing the set of ciphers available always
reduces security, since when the handshake fails mail is subsequently
sent in the clear. The Postfix SMTP client and server cipherlists
are *ordered* sensibly, and with SSLv2 disabled (default), there
should be no downgrade attacks.
It only makes sense to restrict the cipherlist to a more secure
subset when TLS is mandatory. The default cipher grade for mandatory
TLS is "medium". The "medium" grade is essentially just 128-bit RC4:
AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
so if not using RC4 is a requirement, raising the mandatory grade to
high can be tried with care, but the effect is not always necessarily for
the better:
$ posttls-finger -c -L summary gmail.com
posttls-finger: Untrusted TLS connection established to
gmail-smtp-in.l.google.com[173.194.74.27]:25: TLSv1.1 with cipher
ECDHE-RSA-RC4-SHA (128/128 bits)
$ posttls-finger -c -L summary -g high gmail.com
posttls-finger: Untrusted TLS connection established to
gmail-smtp-in.l.google.com[173.194.74.27]:25: TLSv1.1 with cipher AES128-SHA
(128/128 bits)
So with "medium" you get RC4 with PFS, and with "high" you get
AES128 without PFS. Which is better, we don't know for sure.
On a related note, in the Postfix SMTP client, I'd like at some
point to disable not only SSLv2, but also SSLv3, leaving only TLSv1
and up enabled. This ensures that TLSv1 extensions are sent in
the SSL client HELO message. Extensions can signal the list of
supported EECDH curves, support for session tickets, ...
The right time for this would probably be after OpenSSL 1.0.2 is
released, because then with an appropriate small change to Postfix,
the best EECDH curve can be negotiated, rather than fixed by the
server.
SSLv3 is already disabled in Postfix 2.11 when the remote server
is authenticated via DNSSEC DANE TLSA records, because in this case
the Postfix SMTP client needs to send the SNI extension to the
server (just in case the right certificate is contingent on SNI).
--
Viktor.
