On 17/02/17 12:46, L.P.H. van Belle wrote: > Hai,
Hi, Louis. > It all depends all in what you need and want. > > After monitoring for about a year on with or without encryption. > I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. > Which i simply dont allow anymore. ( The sslv2/v3 ) > Due to the dutch "Privacy laws" users are oblgated to have/use encrypted > lines. And a lot should be encrypted. > > So I preffer a high but compatible set. > A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl > My prefered site to check ciphersets. > Im also running debian jessie postfix 2.11. I tried to test against tls.imirhil.fr, but the check ends with an error saying that the process lasted more than 2 min. I'm not sure what might be the cause of this. In mail.log I see the received connections to make the checks. > And yes, there is always room for improvements, but my cipher check shows me > the following and im happy with it. > > 2 TLSv1 with cipher AES256-SHA > 6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 > 13 TLSv1.2 with cipher AES256-SHA > 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA > 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 > 103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA > 302 TLSv1 with cipher DHE-RSA-AES256-SHA > 772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 > 2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > 11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA Very interesting statistics. > # Add these to log you ciphers used. > smtp_tls_loglevel=1 > smtpd_tls_loglevel=1 > > # check encrypted connections with : > # grep "connection established from.*with cipher" /var/log/mail.log|awk > '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n > # check for clear text connections: > # grep "connection established from" /var/log/mail.log | grep -v cipher| awk > '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n Thanks for sharing these scripts to total the connections with each cipher. > # outgoing connections: smtp > smtp_tls_protocols = !SSLv2,!SSLv3 I have not explicitly defined this variable, so I have the default value that is: smtp_tls_protocols = !SSLv2 So I think it may be advisable to add !SSLv3. > smtp_tls_ciphers = high I have not explicitly defined this variable, so I have the default value that is "export". I was reading the documentation [1] where reference is made to "minimum TLS cipher grade", but I'm not clear how these degrees are defined. > smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 > smtp_tls_security_level = may Here for smtp_tls_security_level I also have the same configuration. > smtp_tls_note_starttls_offer = yes I have not explicitly defined this variable, so I have the default value that is "no". I was reading the documentation about this and it says "Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server". This is not clear to me or maybe I'm missing something. If the remote server provides STARTTLS, then is not TLS enabled on that server? > # incoming connections: smtpd > smtpd_use_tls = yes > smtpd_enforce_tls = no Here we agree. The smtpd_enforce_tls variable is not declared in my main.cf, but the value "no" is the default. > smtpd_tls_protocols = !SSLv2,!SSLv3 I have not declared specifically this variable in my main.cf, and I see that it is empty: # postconf | grep smtpd_tls_protocols smtpd_tls_protocols = tlsproxy_tls_protocols = $smtpd_tls_protocols In the Postfix documentation [2] I see that the default value is !SSLv2,!SSLv3. Maybe this has changed in recent versions? I'm using Postfix 2.11.3-1 en Debian Jessie 8.7. > smtpd_tls_ciphers = high Here I have a question similar to the one I mentioned for smtp_tls_ciphers. How are these cipher grades [3] defined? Here I am also using the value "export", since I have not explicitly defined this variable in main.cf. > smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, > DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES > #, RSA+AES Despite having smtpd_tls_protocols with a empty value, when testing on ssl-tools.net, it shows that I am not using weak ciphers (it shows an SSL3 that is crossed out). Is this related to the values in the smtpd_tls_exclude_ciphers variable suggested by Angelo (DEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL)? > smtpd_tls_eecdh_grade = ultra Here I have the default value, which is "strong". It seems to be an acceptable value from what I see in the documentation [4]. Thanks for your reply and your time. Kind regards, Daniel [1] http://www.postfix.org/postconf.5.html#smtp_tls_ciphers [2] http://www.postfix.org/postconf.5.html#smtpd_tls_protocols [3] http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers [4] http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
signature.asc
Description: OpenPGP digital signature
