On Thu, May 28, 2015 at 02:09:37PM +0200, DTNX Postmaster wrote:
> > I would love to see postfix smtp client reject connections to my weak
> > Server.
> >
> > And *that* is the point...
>
> Also, remember that SMTP is based on opportunistic encryption, triggered
> by the presence of 'STARTTLS' in the EHLO response. All a MitM attack
> needs to do is to intercept that EHLO response, remove STARTTLS as a listed
> capability, and the communication will take place without it. Again, in
> plain text.
Well, a tiny minority of SMTP deliveries are not merely unauthenticated
opportunistic TLS. Roughly 1400 (mostly small) receiving domains
have published DANE TLSA records, and mail from any DANE-capable
SMTP clients (e.g. suitably configured Postfix 2.11 or later) will
authenticate the server.
Still if such a server's TLSA records bind to weak keys, or a weak
DH group is used for DH key exchange, I don't think the client
should object. The client is "doing the server a favour" by honouring
the TLSA records, and if these lead to weak keys so be it.
With client-side configured secure channels (smtp_tls_security_level
set to "fingerprint", "verify" or "secure"), one might indeed expect
stronger keys, and it would be up to the TLS toolkit to provide
that capability. OpenSSL 1.1.0 (still under development) has
"security" levels, that might be used for this purpose if the
interface is ultimately deemed the right approach to set a "floor"
on cryptographic algorithms across the board.
The fix for logjam is to disable "export" ciphers on all servers
and clients and then downgrade attacks of this sort become
substantially more difficult to carry out.
--
Viktor.
