Viktor Dukhovni:
Indeed, because such a policy would properly be an OpenSSL feature,
not a Postfix feature. However, the whole attack is largely
irrelevant for SMTP. Unless you're authenticating the server (DANE
or Web PKI) you're subject to MiTM attacks with or without logjam.
correct.
When the server is authenticated, it is not going to send weak DH
keys with strong ciphers.
why?
To avoid the logjam attack, configure your own servers as above.
no question, I did that already ...
Policy about minimum key strengths for authentication and key
exchange is at the TLS library layer. Upcoming OpenSSL releases
will raise the minimum bit length for DH to 768 and then 1024 bits.
Similar logic will likely apply to RSA keys. I don't think this
logic belongs in Postfix. In any case CAs no longer sign such
weak keys, and DANE TLSA records attesting to weak keys should not
be published.
why not?
currently users could select minimum cipher strength. why not minimum
authentication strength?
Andreas
