On 2015-08-06 09:08, Viktor Dukhovni wrote: > > Recent updates to the supported Postfix releases have updated the > default settings of the OpenSSL ciphers used for opportunistic TLS > from "export" to "medium. > > If you're not yet using one of the releases from mid July, or > have set non-default values for either of: > > smtpd_tls_protocols > smtpd_tls_ciphers > smtp_tls_protocols > smtp_tls_ciphers > > You should in most cases update main.cf by setting: > > # Exclude obsolete weak crypto. > # > smtpd_tls_protocols = !SSLv2, !SSLv3 > smtpd_tls_ciphers = medium > smtp_tls_protocols = !SSLv2, !SSLv3 > smtp_tls_ciphers = medium
Why medium and not high, while we're at it? What clients would have problems with it? > > this will disable obsolete SSL protocol versions and the weakest > ciphersuites that are rarely if ever used, and should not be used > going forward. The above settings are the defaults for the most > recent Postfix versions. > > If you need to send email to Exchange 2003 servers (not necessarily > your own), you might also want to set: > > # Drop "exotic" ciphers leaving room for RC4-SHA in the top 64 > # > smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, > RC2, RC5 > > which disables very rarely used ciphersuites that are not expected > to be required for interoperability, making it possible for Exchange > 2003 SMTP servers to negotiate RC4-SHA, which is the best ciphersuite > that software supports. > > With Postfix 2.11 or later, you don't need a file-based TLS session > cache. Session tickets are better: > > # Empty is best with Postfix >= 2.11 > # > smtpd_tls_session_cache_database = > > Finally, you should generally use 2048-bit rather than 1024-bit DH > parameters: > > http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start > > smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem > smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem > > The 512-bit parameter file won't be used if you've disabled "EXPORT" > ciphers by setting "smtpd_tls_ciphers = medium" as recommended > above. You can even set: > > smtpd_tls_dh512_param_file = ${config_directory}/dh2048.pem > > which would likely result in handshake failure if a DHE EXPORT > cipher were negotiated, which is arguably a safety feature. Worst > case you'll be using an export ciphersuite with a key agreement > protocol immune to LOGJAM. > Is usage of tls_preempt_cipherlist still recommended? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at
signature.asc
Description: OpenPGP digital signature
