-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 23-12-13 18:30, Viktor Dukhovni wrote: > On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote: > >>> I am still fixing it for clarity, but it should be accurate. >>> Feedback is welcome. >>> >> >> After reading, I'm having some questions. > > s/reading/skimming/ :-) > >> The document states that forward secrecy is supported by default >> on recent postfix installs. However, the quick-start still has >> some settings that apparently need tweaking. > > They don't *need* tweaking. However, the "tweaked" settings are > *recommended. > >> Setting 'smtpd_tls_eecdh_grade = strong' is already available as >> default (tested with postfix 2.10), so no actual work here. > > As stated. > >> Setting the files (and refreshing them using a cronjob) specified >> by 'smtpd_tls_mumble_param_file' is a bit unclear though. The >> default for these params is empty, and setting them does not >> really show a different behavior in postfix (i.e. using different >> ciphers and keys) as far as visible from the logged information. > > http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs > > ... > > Postfix >= 2.2 support 1024-bit-prime EDH out of the box, with no > additional configuration, but you may want to override the default > prime to be 2048 bits long, and you may want to regenerate your > primes periodically. > >> But since forward secrecy is supported by default, what does it >> help to specify these params, and re-generate them once in a >> while? > > The default non-export prime is 1024 bits. As explained in the > document, you should consider using a 2048 bit non-export prime. > > The best-attacks on prime EDH are "pre-computation" attacks, where > one spends a bunch of time computing a bunch of data about a > particular prime, and is then able to quickly solve the underlying > problem much faster for any input. > > Though prime lengths are chosen based such pre-computation attacks > (rule of thumb is that for equivalent security EDH primes should be > about as long as RSA moduli) which are believed to be out of reach > for 2048 bit primes and perhaps still out of reach even for 1024 > bit primes, one can make the attacks much less attractive by > frequently generating new primes independently at each site. > > The compiled-in default prime in the Postfix source code is > perhaps within reach of the best-funded adversaries, who may have > performed the requisite pre-computation. Primes you generate on > your server, and use for a short time are unlikely to warrant the > extraordinary cost of the pre-computation attack. > >> I've no deep ssl knowledge, but the smtpd_tls_dh1024_param_file >> postconf documentation seems to indicate that openssl distributes >> some kind of defaults for these contents? > > I don't believe that OpenSSL provides default parameters, but > Postfix does. > >> Maybe it's a nice idea to make the forward secrecy and/or >> postconf documentation a bit verbose on how this works, and what >> benefits manual generation of these params has? > > The more advanced material we put in the document, the more > intimidating it will be for the average reader. But of course an > empty document is not optimal, so we have to aim for the middle.
As stated, I assumed that the default primes came from openssl, based on the smtpd_tls_dh1024_param_file description in postconf(5). While reading 'using the exact same parameter sets as distributed with other TLS packages', I was assuming 'other TLS packages' to be other (non-postfix, non-SMTP) software packages also using openssl. After another re-read of the forward secrecy document (and from your reply), I now found the part that states that the default primes are postfix builtins. I missed this link. So it doesn't have to be more technical or advanced. There were some connections between dots missing in the higher level picture. Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSuHsrAAoJEJPfMZ19VO/1MY0P/RkJMxLYu77l8QVfQjuwQdk1 4xgMXiyR0IC8tSKFuulwX/sl+YoFcv2wkjupx0ZwTkVg32feccAUgnzy3wVfe3UM Di5sxIdNq7M2MOb/O3nuoGkKiFDTtd/PXpInI6iLtKL9ADKXPwsbikQda1BEbV++ lO9BsVA1sJsAJOl40nOvx639cFQCEoLyAkuIgk6dZ//7sn1jmIFpYnZhkFvPo2rT Y+3xwGtK+kz2E/b2uutkCO203iCf6hSkyV/jSF2rHl9L/iOkH2ohwt3ICrlH3r38 9Q3TUeMkJzWrHC1ME+LHA5bPhmKdtFsPywZHCWEMK/91U1EQSw8MI6JLHwiC9SZQ JspWkm2JroIrkHl1mKHWi3IazI2hRTgjhmGwkaHy8+m3Cvkq5u9W8jEIBQ045luF gKnCQdaDnfA0htg1dGmvpFItQeddraG+7DcXFDKtPny/mo3oTfAoSgiO3dKIjEDm NihRXgJAtfJRXZG+vLGW0G/+h1DHT5u+l0l9W+TntJi9F2gBk1L6Lz+RSH9Jg5Cc WBAvu2FH1HpoiTNKfdJu3Oi8P0PaSIbnwtODWZ0VVaRVT+YQgGkgjyMcMsvJkEF7 WknGNWBGk5/2n5/x7E/yX1VIV0416ehZSom0C/eBUZxCWAiidZwrRB+hQrcqGJUU UfgkVU/WR+i9bBSxByEa =i2Yp -----END PGP SIGNATURE-----
