On Sat, Nov 23, 2013 at 11:08:56PM +0100, Andreas Schulze wrote:
> >For bonus points, you could look at "smtpd_tls_askccert" and
> >"smtpd_tls_req_ccert". If either is set to "yes", append ':!aNULL'
> >to the raw openssl cipher list.
>
> could you please tell more about that?
Not much more to tell, anonymous ciphers are disabled when the
server wants to request client certs. The TLS protocol does not
make it possible for client certs to be requested during the initial
handshake in when the server is anonymous.
A little knowledge is a dangerous thing. Just because I've explained
the Postfix cipherlists in more detail, does not mean that it is
now a good idea to tweak them. Most changes are likely to be
counter-productive.
To defend against PRISM, ... defend the endpoints, the crypto is
not the weakest link.
--
Viktor.
server_cipherlist() {
local level grade use skip ciphers exclude e
level=$(postconf -xh smtpd_tls_security_level)
case $level in
none) return 0;;
may) grade="$(postconf -xh smtpd_tls_ciphers)"
use="tls_${grade}_cipherlist"
skip="smtpd_tls_exclude_ciphers";;
encrypt) grade="$(postconf -xh smtpd_tls_mandatory_ciphers)"
use="tls_${grade}_cipherlist"
skip="smtpd_tls_exclude_ciphers"
skip="$skip smtpd_tls_mandatory_exclude_ciphers";;
*) echo "Invalid security level: ${level}" >&2; return 1;;
esac
ciphers="$(postconf -xh $use)"
for askcc in smtpd_ask_ccert smtpd_req_ccert
do
case "$(postconf -xh "${askcc}")" in
[Yy][Ee][Ss]) ciphers="$ciphers:"'!aNULL'; break;;
esac
done
exclude="$(postconf -xh $skip)"
if [ -n "${exclude}" ]
then
OIFS="$IFS"; IFS=":,$OFS" set -- $exclude; IFS="$OIFS"
for e; do ciphers="$ciphers:"'!'"$e"; done
fi
echo "$ciphers"
}
clist=$(server_cipherlist)
if [ $? -eq 0 -a -n "$clist" ]; then openssl ciphers -v "$clist"; fi
