Re: smtp client cipher selection

Tue, 24 Feb 2015 10:50:21 -0800 

On Tue, Feb 24, 2015 at 07:35:18PM +0100, ?hsan?Do?an wrote:

> For me, it's not 100% clear, how the Postfix smtp client chooses the TLS
> cipher. In a setup, where a Postfix server connects to mail.dogan.ch,
> I've experienced this behaviour:
> 
> 1. smtp_tls_security_level = verify
> 
> Feb 24 18:51:28 bender postfix/smtp[26237]: [ID 197553 mail.info]
> Verified TLS connection established to mail.dogan.ch[77.109.151.89]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

[ Note "verify" is not recommended, use "secure" instead. However,
  these coincide when the [nexthop] is not subject to MX lookups. ]

This ciphersuite involves use of an RSA key to sign the server's
ephemeral ECDH key agreement parameters, thereby authenticating the
server to the client.

> 2. smtp_tls_security_level = may
> 
> Feb 24 19:16:51 bender postfix/smtp[26830]: [ID 197553 mail.info]
> Untrusted TLS connection established to mail.dogan.ch[77.109.151.89]:25:
> TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

[ Note, sufficiently recent Postfix versions correctly report this
  as "Anonymous" rather than "Untrusted". ]

Here, since no authentication is performed, an anonymous ciphersuite
is used, saving the server pointless cycles signing the ECDH
parameters.

> I guess the Postfix smtp client chooses the cipher
> ECDHE-RSA-AES256-GCM-SHA384 only when smtp_tls_security_level is set to
> verify, because the TLS connection is untrusted.

No, with "verify" the client removes anon-(EC)DH ciphers from its
cipherlist, because these would prevent the desired server
authentication.

> What makes me wonder is, why the TLS connection is trusted, if
> smtp_tls_security_level is set to verify, but it's untrusted if
> smtp_tls_security_level is set to may. What is the logic behind?

    http://www.postfix.org/TLS_README.html#client_tls_limits
    http://www.postfix.org/TLS_README.html#client_tls_levels
    http://www.postfix.org/TLS_README.html#client_tls_secure
    http://www.postfix.org/TLS_README.html#client_tls_may

With "may" there is no protection against active attacks, so no
CPU cycles are wasted going through the motions of certificate
checks whose results are ignored.

--
        Viktor.

Reply via email to