Update to recommended TLS settings

Thu, 06 Aug 2015 00:10:08 -0700 

Recent updates to the supported Postfix releases have updated the
default settings of the OpenSSL ciphers used for opportunistic TLS
from "export" to "medium.

If you're not yet using one of the releases from mid July, or
have set non-default values for either of:

    smtpd_tls_protocols
    smtpd_tls_ciphers
    smtp_tls_protocols
    smtp_tls_ciphers

You should in most cases update main.cf by setting:

    # Exclude obsolete weak crypto.
    #
    smtpd_tls_protocols = !SSLv2, !SSLv3
    smtpd_tls_ciphers = medium
    smtp_tls_protocols = !SSLv2, !SSLv3
    smtp_tls_ciphers = medium

this will disable obsolete SSL protocol versions and the weakest
ciphersuites that are rarely if ever used, and should not be used
going forward.  The above settings are the defaults for the most
recent Postfix versions.

If you need to send email to Exchange 2003 servers (not necessarily
your own), you might also want to set:

    # Drop "exotic" ciphers leaving room for RC4-SHA in the top 64
    #
    smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, 
RC2, RC5

which disables very rarely used ciphersuites that are not expected
to be required for interoperability, making it possible for Exchange
2003 SMTP servers to negotiate RC4-SHA, which is the best ciphersuite
that software supports.

With Postfix 2.11 or later, you don't need a file-based TLS session
cache.  Session tickets are better:

    # Empty is best with Postfix >= 2.11
    #
    smtpd_tls_session_cache_database =

Finally, you should generally use 2048-bit rather than 1024-bit DH
parameters:

    http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start

        smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
        smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem

The 512-bit parameter file won't be used if you've disabled "EXPORT"
ciphers by setting "smtpd_tls_ciphers = medium" as recommended
above.  You can even set:

    smtpd_tls_dh512_param_file = ${config_directory}/dh2048.pem

which would likely result in handshake failure if a DHE EXPORT
cipher were negotiated, which is arguably a safety feature.  Worst
case you'll be using an export ciphersuite with a key agreement
protocol immune to LOGJAM.

-- 
        Viktor.

Reply via email to