> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski <t...@onefellow.com> wrote: > > all looks good except _outgoing_ mail that still uses > ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using > ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using > ECDHE-ECDSA-AES256-GCM-SHA384. > > so where is problem ? settings are: > > smtp_tls_ciphers = high > smtp_tls_mandatory_ciphers = high > smtpd_tls_ciphers = high > smtpd_tls_mandatory_ciphers = high > tls_high_cipherlist = > ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
Please stop. In trying to make your server "more secure" you're making it less secure. See https://tools.ietf.org/html/rfc7435 for why. The reason outgoing mail is not using ECDSA is that almost nobody has configured ECDSA certificates along with their RSA certificates on their MX hosts. No matter how fancy your SMTP client configuration the server won't suddenly acquire an ECDSA key-pair. The fewer changes you make to the Postfix TLS cipher settings, the more likely you're to have a reasonably secure and interoperable configuration. It is at this time not unreasonable to set "tls_preempt_cipherlist = yes" if some of your SMTP clients have "poor" cipher preferences. You can also exclude some truly obsolete ciphers via: smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 which makes for a more compact TLS ClientHello. This is generally not needed. Some of these exclusions might happen by default in a future Postfix release. The MD5, kDH and kECDH ciphers are largely gone from OpenSSL 1.1.0 and later. Only the eNULL MD5 cipher remains: $ openssl ciphers -v MD5:kDH:kECDH NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 -- Viktor.
