Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>:
With smtpd(8) there are no implicit exclusions so you can build the
full list yourself if you want. For example with opportunistic TLS
(may):
$ server_ciphers() {
local use skip ciphers exclude e
case $1 in
may)
use="tls_export_cipherlist"
skip="smtpd_tls_exclude_ciphers";;
encrypt)
use="tls_medium_cipherlist"
skip="smtpd_tls_mandatory_exclude_ciphers";;
esac
ciphers="$(postconf -xh $use)"
exclude="$(postconf -xh $skip)"
if [ -n "${exclude}" ]; then
OIFS="$IFS"; IFS=":,$OFS"
set -- $exclude
IFS="$OIFS"
for e; do ciphers="$ciphers:"'!'"$e"; done
fi
openssl ciphers -v "$ciphers"
}
$ server_ciphers encrypt
Viktor,
thanks for the script. it helped me to _really_ unserstand how postfix
uses tls.
But when I disable RC4 in smtpd_tls_exclude_ciphers (I assume) it's
also not used
when I enforce encrypt mode !? This script don't say so.
Also the script don't handle situations where smtpd_tls_ciphers set to
'high' for example.
I replaced the selected cipherlist based on smtpd_tls_ciphers /
smtpd_tls_mandatory_ciphers.
So here is my update (without any optimization !)
server_ciphers() {
local use skip ciphers exclude e
case $1 in
may)
grade="$(postconf -xh smtpd_tls_ciphers)"
use="tls_${grade}_cipherlist"
skip1="smtpd_tls_exclude_ciphers"
skip2="";;
encrypt)
grade="$(postconf -xh smtpd_tls_mandatory_ciphers)"
use="tls_${grade}_cipherlist"
skip1="smtpd_tls_exclude_ciphers"
skip2="smtpd_tls_mandatory_exclude_ciphers";;
esac
ciphers="$(postconf -xh $use)"
exclude1="$(postconf -xh $skip1)"
if [ -n "${exclude1}" ]; then
OIFS="$IFS"; IFS=":,$OFS"
set -- $exclude1
IFS="$OIFS"
for e; do ciphers="$ciphers:"'!'"$e"; done
fi
if [ -n "${skip2}" ]; then
exclude2="$(postconf -xh $skip2)"
if [ -n "${exclude2}" ]; then
OIFS="$IFS"; IFS=":,$OFS"
set -- $exclude2
IFS="$OIFS"
for e; do ciphers="$ciphers:"'!'"$e"; done
fi
fi
openssl ciphers -v "$ciphers"
}
correct?
Andreas
