micah <mi...@riseup.net> writes:
> Viktor Dukhovni <postfix-us...@dukhovni.org> writes:
>
>> On Wed, Oct 02, 2013 at 03:39:06PM -0400, Micah Anderson wrote:
>>
>>> From my understanding of the way postfix currently operates, there is no
>>> smtpd/stmp TLS setting that can be set that would provide a
>>> configuration that would result in a more 'hardened' configuration,
>>> without causing interoperability problems. If I am wrong, I'm very
>>> interested in knowing where.
>>
>> You get no benefit from hardening the Postfix SMTP server on port
>> 25 (tighter mandatory parameters on the submission port may work
>> for some). This has little to do with Postfix and everything to
>> do with the fact that SMTP servers accept messages from total
>> strangers (many of the clients don't support TLS at all).
>
> Regarding tighter mandatory parameters on the submission port - any idea
> what these could reasonably be? For example, if I disable SSLv2/v3 am I
> going to cut off Outlook users?
>
> It would be nice if we had a good survey of clients that are still out
> there.
>
> I looked at some of my logs and found the following from a small sample
> over the last day:
>
> # zgrep 'TLS connection' /var/log/postfix.log* |grep 'TLS connection'|awk
> '{print $12, $15}' |sort | uniq -c |sort -nr
> 301849 TLSv1 DHE-RSA-AES256-SHA
> 109117 TLSv1 AES128-SHA
> 30032 TLSv1 RC4-SHA
> 14446 SSLv3 DHE-RSA-AES256-SHA
> 2532 TLSv1 AES256-SHA
> 1552 TLSv1 DHE-RSA-AES128-SHA
> 424 SSLv3 AES256-SHA
> 178 SSLv3 DHE-RSA-AES128-SHA
> 69 TLSv1 DES-CBC3-SHA
> 26 SSLv3 AES128-SHA
> 18 SSLv3 DES-CBC3-SHA
> 17 SSLv3 RC4-SHA
Ups, this machine is not yet on openssl1.0 yet, so these results are
somewhat useless. I'll have to get better ones from a newer machine.
micah
