On Thu, Jan 14, 2016 at 03:53:23PM -0500, Curtis Villamizar wrote:
> > > smtp_tls_ciphers = high
> >
> > Usually best to leave this at "medium". This is opportunistic
> > TLS, and if high fails, you'll send cleartext, which is NOT
> > stronger than medium.
>
> That's actually fine if it actuall fell back. Comcast didn't fall
> back, it tried secondary MX, then TEMPFAIL. Its only intended for
> internal servers that are supposed to bring up TLS with a trusted key
> and then also SASL authenticate. Otherwise I might just leave it at
> none.
This is an SMTP *client* setting for your outbound connections,
and has nothing to do with what happens when Comcast sends you
mail. My point is that this is unwise, regardless of Comcast.
> > > smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
> >
> > This is worse, your opportunistic TLS is constrained to
> > TLSv1.
>
> The lines are the same. What I'd like is TLSv1.2 only. Documentation
> recommended the !format rather than the "legacy" format (in case there
> is later a 1.3 defined, for example), there is no TLSv1.0 and TLSv1
> refers to TLSv1.x. So no good way to exclude TLSv1.0 afaik (afaik is
> now past tense, see below).
To exclude TLSv1, use "!TLSv1". Do check the docs for syntax,
that's what they're there for.
> > > smtpd_tls_ask_ccert = yes
> >
> > To you do anything with client certs? If not, don't request
> > them.
>
> Since the primary reason for having this was for my own hosts,
> particularly the MSA, the intent was to use them if I could.
Set that on port 587 only, master.cf.
> Unfortunately I can't find an option that requires trusted TLS before
> AUTH, just any TLS (no smtpd_tls_auth_only = trusted, just yes/no).
smtpd_tls_req_ccert=yes requires trusted TLS, that is the client's
certificate must be issued by a trusted CA. For port 587 only,
and understand the consequences.
> > > smtpd_tls_cert_file = /etc/postfix/cert.pem
> > > smtpd_tls_key_file = /etc/postfix/key.pem
> >
> > What kind of key is that? RSA or ECDSA? Can you
> > post the output of:
> >
> > openssl x509 -in /etc/postfix/cert.pem -noout -text | egrep -v ':.*:.*:'
>
> Relevant parts:
>
> ASN1 OID: secp384r1
> Signature Algorithm: ecdsa-with-SHA256
Well, that's probably why comcast is having trouble, they likely
don't support ECDSA. You really should field an RSA certificate,
along with the (still bleeding-edge) ECDSA certificate.
> Not supported in openssl 1.0.1, but that is > 1 year old version.
Actually, even 1.0.0 supports ECDSA, but not on RedHat/CentOS
systems, for patent-fear reasons.
> This is OK if the only thing I want authenticated is my own MSA and
> MDA servers.
No, it means that Comcast can't perform a TLS handshake because
they don't support ECDSA.
> > > smtpd_tls_ciphers = high
> >
> > This is a bad idea, leave it at medium.
> >
> > > smtpd_tls_exclude_ciphers = aNULL MD5 DES
> >
> > This is not needed.
>
> same as smtp.
The roles of the client and server are very differnt. Just
because the settings are the same, does not make them right,
even if they are right for the other case.
http://www.postfix.org/TLS_README.html#client_tls_limits
You're working too hard trying to make your system more secure,
and shooting yourself in the foot making it less secure as a result.
Apply the suggested settings, they're better, leave more things
at their defaults.
> > > smtpd_tls_loglevel = 2
> >
> > Level 1 is just right, 2 is too much.
>
> Maybe so. Isn't hurting anything.
Actually it severely hampers performance under load, because syslog
gets overwhelmed with messages.
> I thought (apparently incorrectly) that TLSv1 was TLSv1.x so I didn't
> include it. Documentation was not clear on that.
TLSv1 is just TLS 1.0. That's what OpenSSL called it, (and then
later 1.1 came along. At the time the only previous examples
were SSLv2 and SSLv3, so TLSv1 made sense.
> > > smtpd_tls_session_cache_timeout = 300
> >
> > Longer is better, especially with Postfix 2.11+ and session
> > tickets. Let the default stand.
>
> Hasn't been a problem. What would it break?
SMTP clients connect less often than HTTP clients, longer session
time improve session reuse and cost you nothing (because the
session state is client-side).
> > > tls_disable_workarounds = 0xFFFFFFFF
> >
> > Are you sure that's a good idea? This is opportunistic TLS.
>
> This is TLS between my servers where I happen to get opportunistic TLS
> as a result of having a STARTTLS.
Well it also affects inbound mail from Comcast and others, and
outbound mail to the world.
--
Viktor.
> Can't use smtpd_tls_req_ccert on MTA.
>
> The MSA needs to be a little weak due to cell phones sending mail. So
> can't use smtpd_tls_req_ccert on MSA either (for now) and there is no
> smtpd_tls_auth_only = trusted though it would be real nice to have.
How would that differ from "smtpd_tls_req_ccert". What would
"trusted" mean?
