Viktor Dukhovni <postfix-us...@dukhovni.org> writes: > On Wed, Oct 02, 2013 at 07:38:42PM -0400, micah wrote: > >> I suppose there is no way to achieve some middle ground of doing >> opportunistic encryption, but for those who are only talking with bad >> protocols and ciphers (or clear-text) do a non-permanent failure with a >> message about their bad protocol so at least some admin eventually may >> see that information (perhaps when the user complains that their >> messages are slow to be delivered). > > What would be the point? You accept plaintext mail, but reject > mail encrypted with algorithms vulnerable to a costly, but not > infeasible brute-force effort?
No, both plaintext and bad crypto would either be soft rejected with message to give a delay annoyance. >> > You could disable SSLv3 in the SMTP client, and use only TLSv1, >> > TLSv1.1 or TLSv1.2. >> >> Do you mean in the MUA, or in the 'smtp' configurations in postfix? If >> the latter, what happens when you disable SSLv3 and connect to a remote >> MTA to make a delivery and they do not support anything but SSLv3? > > In all SMTP clients, since SMTP servers almost universally support > TLSv1. There are exceedingly few servers that don't. You'd end > up sending in the clear to these. Disabling SSLv3 is not very > useful yet, the benefits only become real when TLS extensions sent > by the client allow servers to choose more secure parameters for > EECDH or EDH, which is not possible yet due to API and protocol > limitations. This said it is unlikely to cause any significant > problems. > >> > Neither Postfix nor OpenSSL actually care about the size of the >> > prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits, >> > and likely get away with it. See recent thread on Exim TLS interop. >> > YMMV, some clients may choke on 2048-bit EDH (though more typically >> > these limited implementations are in are browsers, ... not MTAs). >> >> Interesting, what interoperability problems are there here? If you set >> the smtpd_tls_dh1024_param_file to a 2048bit file, what happens when a >> client chokes on this? Does it fall back to clear text, or a non-EDH >> cipher, or does it cause a connection reset... or? > > Some clients don't implement EDH for primes larger than some limit, > possibly as low as 1024 bits. Such issues are common in browsers, > and perhaps MUAs, but very uncommon in MTAs. When the TLS handshake > fails, the MTA behaviour is implementation dependent. Postfix (which > does not have such limits) retries with plaintext, unless constrained > by out-of-band policy (administrative or DANE). Thanks for the explanation. micah
