On Mon, May 25, 2015 at 05:31:31PM +0200, DTNX Postmaster wrote:
> Except that the 'tls_medium_cipherlist' setting defaults to
> 'aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH', and thus leaves
> anonymous ciphers enabled for your MSA.
Which is a feature, not a bug.
> As well as PSK, DSS, SEED, SRP,
> and quite a few other ciphers very few people will need for client
> authentication, making the list of ciphers to exclude longer than an
> explicit cipherlist.
Which do no harm on the receiving side. None of PSK, SRP or DSS
are enabled without suitable server key material anyway. Simplicity
of configuration trumps OCD precision.
> Turning on 'tls_preempt_cipherlist' for that cipherlist means that
> you're explicitly preferring a chunk of those anonymous ciphers over
> the better options available. Oh, so add 'aNULL' to the exclusion list
> as well, right?
No. If the client sends aDH ciphers in the handshake, let it. You learn
which clients are not verifying your server certificate:
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-17#section-8.2
> Plus the "Wait, is the Postfix 'medium' not the same as the 'MEDIUM' I
> am reading about in the OpenSSL docs?"
No it is not the same. It is actually "at least MEDIUM" and thus
includes HIGH.
> It makes verifying which ciphers are actually active on the MSA harder
> for the average user, because there's no easy way for them to test what
> they can expect.
It makes it unnecessary for users to obsess over which ciphers they are
using.
> They have to assemble several bits to generate the
> active list, or test a running configuration to be certain.
None of this is wise or necessary.
> And no, not everyone gives the wrong recommendations ;-)
The wrong advice vastly outnumbers the right and is cargo-culted
by many.
--
Viktor.
