On Thu, Mar 10, 2016 at 04:40:37PM -0600, Blake Hudson wrote:
> >>>smtpd_tls_exclude_ciphers =
> >>> EXPORT, LOW, MD5, SEED, IDEA, RC2
> >>> smtp_tls_exclude_ciphers =
> >>> EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2
> >With opportunistic TLS one should be somewhat cautious about
> >excluding ciphersuites that are potentially needed for interoperability,
> >and are not known to be harmful.
>
> I understand that reasoning, but isn't that the same argument (the "they're
> not hurting anything" argument) that resulted in SSLv2 and export ciphers
> being left enabled in software for a decade or two past their usefulness?
Sure, if we're considering known weak ciphers, and especially those
not needed for interoperability in practice. Hence the removal of
EXPORT/LOW from Postfix in Jul/2015 and from OpenSSL in Mar/2016.
And RC4 TLS ciphers will be gone by default from OpenSSL 1.1.0,
and I expect also disabled by default in Postfix 3.2.0 (2017).
However, when a cipher is not presently known less secure than
cleartext (by contributing to downgrade attacks against configurations
that expect real security, ...) and it is still needed to interoperate
with a non-negligible set of peers, then it may not *yet* be time to
disable it.
> If
> the ciphers are obsolete or could be used to provide a weak side channel for
> breaking a certificate (aka DROWN), shouldn't they be removed at some point
> simply because they are likely to be a problem sooner or later?
Yes, once they are no longer in use. We're almost there for RC4,
but just right now, there is still enough residual use, and no
known attack to warrant disabling it for everyone right now.
That day will come soon.
Postfix won't maintain a crypto-museum, but opportunistic TLS will
retire crypto, that is less than the shiniest, more slowly than
use-cases with mandatory TLS.
Therefore, by all means feel free to set:
smtpd_tls_mandatory_exclude_ciphers = RC4, 3DES
smtp_tls_mandatory_exclude_ciphers = RC4, 3DES
IIRC the mandatory exclusions are in addition to the opportunistic
exclusions. The list of ciphers disabled by default in Postfix
will evolve, and you use sufficiently recent OpenSSL releases,
Postfix may not need to shoulder most that responsibility. Ciphers
too weak for opportunistic TLS will likely not be enabled in default
builds of OpenSSL.
--
Viktor.
