You've likely all been hearing that RC4 is on its way out, with
increasingly practical attacks to extract fixed plaintext that is
sent repeatedly in lots of messages (e.g. HTTP cookies).
While it is not clear how to extend these attacks to MTA-to-MTA
SMTP (except when SASL PLAIN auth is used), there is some merit in
trying to phase out support for RC4.
Before that's done however, I would like to have some evidence that
the need for RC4 is diminishing. Therefore, I'd like to ask the
list whether you're seeing declining use of RC4 in your TLS
connections (inbound or outbound). Are there over time fewer
servers that don't support AES? How long do you think you'll
continue to need RC4?
The reason I ask, is that I'm lately also a member of the OpenSSL
development team, and they (we) are considering reclassifying RC4
as "LOW" rather than "MEDIUM" in the upcoming OpenSSL 1.1.0 release
(towards the end of this year).
That release is likely to appear in new "distros" some time next
year, and Postfix built against that version of OpenSSL might no
longer support RC4 by default.
If RC4 is still needed to interoperate with the long tail of Exchage
2003 and similar SMTP servers, I can accept that proposed change,
and make changes in the Postfix cipherlists to accomodate RC4 as
a last resort (because it is still needed). Or I can argue against
the reclassification of RC4 to LOW and say that the right change
is just to drop it from the "DEFAULT" cipherlist. Or perhaps it
will soon enough not be needed at all?
So, if you have any data on long-term trends in RC4 use, especially
from a site with a high volume of traffic (1 million messages per
day or more), please post your findings. Is RC4 disappearing from
SMTP TLS, or continuing to be used by laggards resistant to change?
--
Viktor.
