On Thu, Mar 10, 2016 at 05:22:22AM -0700, @lbutlr wrote:
> > smtpd_tls_exclude_ciphers =
> > EXPORT, LOW, MD5, SEED, IDEA, RC2
> > smtp_tls_exclude_ciphers =
> > EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
With opportunistic TLS one should be somewhat cautious about
excluding ciphersuites that are potentially needed for interoperability,
and are not known to be harmful.
Therefore, my exclusion list eliminates LOW and EXPORT, and then
removes just a few more things that are believed to not be needed
anywhere and that just increase the attack surface.
> I have
>
> smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4, LOW, EXPORT
Once you've disabled each of DES and MD5, it is a bit silly to
disable the combination of DES+MD5, it is already doubly disabled.
Just one disable is enough, you don't need three.
Whether you should whether to remove RC4 is not so clear, rather
depends on who you correspond with. Sites that do only RC4 are
disappearing, but not yet gone. So I am not yet encouraging everyone
to stop using it, the risk of problems from the small biases in
the first 256 bytes of RC4 output is rather minimal on port 25.
I don't send email to any domains that need RC4, so I have it
disabled, your mileage may vary.
On port 587, if you have users using "AUTH PLAIN" or "AUTH LOGIN",
and someone can convince the MUA to connect and authenticate tens
of millions of times, there could be a password leak. You can
disable RC4 with mandatory TLS on port 587 if that works for your
users.
Some of the above exclusions are in fact specifically intended to
reduce the number of ciphersuites in the client HELLO to below 65,
to improve interoperability with older Microsoft stacks that are
RC4-only. And many of the excluded ciphersuites become unconditionally
unavailable in OpenSSL 1.1.0 (EXPORT and LOW are gone in default
builds of 1.0.2g/1.0.1s).
I don't recommend disabling aNULL, but you can do so if you wish.
> smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2,
> RC5
> Which is a bit different. Are aDSS and DES and 3DES and DES+MD5 and RC4
> redundant in my smtpd exclusions?
You don't need to explicitly disable PSK or SRP, they are disabled
when callbacks for the shared keys are not set, and Postfix has no
code to support PSK or SRP. 3DES has stood the test of time
reasonably well. I am not aware of any reason to exclude it, but
I don't see it in use either. So, whatever...
--
Viktor.
I tried to find '3DES|CBC3' in my logs, and I found was:
Mar 2 15:06:27 amnesiac postfix/smtpd[16766]: CBC31282C3D:
client=dmz-mailsec-scanner-8.mit.edu[18.7.68.37]
Which was not exactly what I was looking for... :-)
