In message <20160114175729.gg...@mournblade.imrryr.org>
Viktor Dukhovni writes:
> On Thu, Jan 14, 2016 at 12:06:43PM -0500, Curtis Villamizar wrote:
>
> > /usr/local/sbin/postconf -c /etc/postfix -n | grep tls
> >
> > smtp_tls_cert_file = /etc/postfix/cert.pem
> > smtp_tls_key_file = /etc/postfix/key.pem
>
> Usually best to not configure client certificates.
>
> > smtp_tls_ciphers = high
>
> Usually best to leave this at "medium". This is opportunistic
> TLS, and if high fails, you'll send cleartext, which is NOT
> stronger than medium.
That's actually fine if it actuall fell back. Comcast didn't fall
back, it tried secondary MX, then TEMPFAIL. Its only intended for
internal servers that are supposed to bring up TLS with a trusted key
and then also SASL authenticate. Otherwise I might just leave it at
none.
> > smtp_tls_exclude_ciphers = aNULL MD5 DES
>
> Mostly harmless, but not ideal. Instead try:
>
> smtp_tls_exclude_ciphers =
> MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
OK. Thanks. Will do.
> > smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
>
> This is a terrible idea, it results in unconditional use of
> TLS 1.0 (the hole in that list). If you really want to force
> TLSv1.2, then you must also disable TLSv1
>
> > smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
>
> This is worse, your opportunistic TLS is constrained to
> TLSv1.
The lines are the same. What I'd like is TLSv1.2 only. Documentation
recommended the !format rather than the "legacy" format (in case there
is later a 1.3 defined, for example), there is no TLSv1.0 and TLSv1
refers to TLSv1.x. So no good way to exclude TLSv1.0 afaik (afaik is
now past tense, see below).
> > smtpd_tls_ask_ccert = yes
>
> To you do anything with client certs? If not, don't request
> them.
Since the primary reason for having this was for my own hosts,
particularly the MSA, the intent was to use them if I could.
Unfortunately I can't find an option that requires trusted TLS before
AUTH, just any TLS (no smtpd_tls_auth_only = trusted, just yes/no).
The primary reason for having this is for my own servers to use SASL
authenticate after strong TLS and then:
smtpd_tls_auth_only = yes # would prefer trusted
smtpd_sasl_security_options = mutual_auth
smtpd_relay_restrictions = permit_sasl_authenticated reject_unauth_destination
If I used weak auth it could potentially be leveraged for relay
(although you would have to also get SASL authenticated). A
man-in-the-middle could watch the SASL with weak encryption and SASL
doesn't offer even moderately strong encryption (DIGEST-MD5) though it
does at least do a weak mutual_auth underneath TLS.
The best I can get now is ask and log when a client cert is trusted.
> > smtpd_tls_cert_file = /etc/postfix/cert.pem
> > smtpd_tls_key_file = /etc/postfix/key.pem
>
> What kind of key is that? RSA or ECDSA? Can you
> post the output of:
>
> openssl x509 -in /etc/postfix/cert.pem -noout -text | egrep -v ':.*:.*:'
Relevant parts:
ASN1 OID: secp384r1
Signature Algorithm: ecdsa-with-SHA256
Not supported in openssl 1.0.1, but that is > 1 year old version.
This is OK if the only thing I want authenticated is my own MSA and
MDA servers.
> > smtpd_tls_ciphers = high
>
> This is a bad idea, leave it at medium.
>
> > smtpd_tls_exclude_ciphers = aNULL MD5 DES
>
> This is not needed.
same as smtp.
> > smtpd_tls_loglevel = 2
>
> Level 1 is just right, 2 is too much.
Maybe so. Isn't hurting anything.
> > smtpd_tls_mandatory_ciphers = high
> > smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
>
> Less harmful on servers, but what do you have against TLSv1.1?
> It is not worse than TLSv1, in fact somewhat better. Choose
> one of:
>
> smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
> smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>
> > smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
>
> For opportunistic TLS leave TLSv1, TLSv1.1 and TLSv1.2 enabled.
>
> smtpd_tls_protocols = !SSLv2 !SSLv3
>
> you're changing too many carefully chosen default settings,
> and doing more harm than good.
I thought (apparently incorrectly) that TLSv1 was TLSv1.x so I didn't
include it. Documentation was not clear on that.
> > smtpd_tls_session_cache_timeout = 300
>
> Longer is better, especially with Postfix 2.11+ and session
> tickets. Let the default stand.
Hasn't been a problem. What would it break?
> > tls_dane_digest_agility = on
> > tls_dane_digests = sha512 sha256
> > tls_dane_trust_anchor_digest_enable = yes
> > tls_wildcard_matches_multiple_labels = yes
>
> These are defaults, don't force them on explicitly.
>
> > tls_disable_workarounds = 0xFFFFFFFF
>
> Are you sure that's a good idea? This is opportunistic TLS.
This is TLS between my servers where I happen to get opportunistic TLS
as a result of having a STARTTLS.
> > tls_preempt_cipherlist = yes
> > tls_ssl_options = NO_COMPRESSION
>
> These are fine.
>
>
>
> > /usr/local/bin/openssl version -a
> >
> > OpenSSL 1.0.2e 3 Dec 2015
>
> OK.
>
> > mta1 (secondary MX)
> >
> > OpenSSL 1.0.2d 9 Jul 2015
>
> Upgrade this one perhaps.
Its about to get upgraded any day now (same status as a few months
ago). It will actually get migrated to a different server.
> --
> Viktor.
As originally configured my MSA did unconditional relay for anything
authenticated but used the MTA to mail from internal host to my
domain. It was that MSA to MTA that I wanted strong, and I want MSA
authentication to be even stronger. Most non-MxA hosts smart host to
an MSA, mostly for root's periodic messages. If I miss a host it
would use the MX record and relay to the MTA.
On the MSA I have manditory TLS and SASL:
smtpd_tls_security_level = encrypt
smtpd_relay_restrictions = permit_sasl_authenticated reject
smtpd_client_restrictions = permit_sasl_authenticated reject
Can't use smtpd_tls_req_ccert on MTA.
The MSA needs to be a little weak due to cell phones sending mail. So
can't use smtpd_tls_req_ccert on MSA either (for now) and there is no
smtpd_tls_auth_only = trusted though it would be real nice to have. I
haven't played with trying to install client certs on android (I
encourage the K9 MUA which supports client certs). Client certs on
hosts is no problem, other than generating, installing, and keeping
track of them.
I may change this to relay from MSAs directly to MDAs (with MSAs
ignoring MX records for my domains). Then I could weaken the MTA auth
and not allow any relay. Right now any host that doesn't forward
through MSA fails due to no DKIM signature (which MSA does for them if
they can authenticate).
btw- Postfix documentation isn't perfect but its a whole lot better
than trying to figure out how to do anything with sendmail. I think
I've only used postfix for about a year now and sendmail since 1980s,
so I appreciate anyone that can look over my config.
Thanks for all the good work you do in this area.
Curtis
