On 24 May 2015, at 18:09, CSS <c...@morefoo.com> wrote:
>>> I thought I saw that listed on this forum earlier this year.
>>
>> Don't believe all the nonsense posted on the Internet.
>
> Related to the previous paragraph, I know that when I fiddle with
> SSL settings on a web server, I can easily dig up information on
> exactly what OS/browser combinations Ill be denying service to (so
> far, XP + IE6). Having that confidence in knowing what possible
> visitors Im denying is nice.
>
> Is there any good reference for MTAs and MUAs out there? Im
> thinking of something like the matrix Qualsys shows in their test
> results.
>
> Whoever started this thread, thanks. Its always been a little fuzzy
> to me where OpenSSL and Postfix meet and decide which parameters are
> set by default (or arent available).
>
> Any future plans to incorporate other SSL libraries?
Assuming you are talking about the MSA (submission) and not MTA to MTA
traffic, you can cover the vast majority of the scenarios with the
following cipher selection string;
EECDH+AES128:EECDH+AES256:EDH+AES128+SHA:RSA+AES+SHA:RSA+3DES:!DSS
Test this with 'openssl ciphers -v' to see the actual cipher selection
you get, as it varies with older pre-1.0 OpenSSL versions. On Ubuntu
Trusty, with a RSA certificate, this will give you the following list;
==
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
==
�Make sure you have the following active for your MSA;
smtpd_tls_loglevel = 1
tls_preempt_cipherlist = yes
Monitor your logs, for example with a script like this;
==
zgrep -h 'postfix/smtpd\[.* connection established from .* with cipher' * \
| sed 's/^.* connection established from .*\]: //' | sort \
| uniq -c | sort -r -n
==
This will give you a list most to least used ciphers in use, associated
protocol, bit strength etc. Saved over time, you can monitor which
ciphers are actually in use, what the impact will be if you want/need
to disable an older cipher, and so on.
Based on your actual usage profile, which is much better data than a
generic list of what clients might support, IMHO. And it can be traced
back to a connecting IP address, the authenticated account, etc.
HTH,
Joni
