_ Zbyszek Żółkiewski > Wiadomość napisana przez Viktor Dukhovni <postfix-us...@dukhovni.org> w dniu > 13.04.2017, o godz. 19:21: > > >> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski <t...@onefellow.com> wrote: >> >> all looks good except _outgoing_ mail that still uses >> ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using >> ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using >> ECDHE-ECDSA-AES256-GCM-SHA384. >> >> so where is problem ? settings are: >> >> smtp_tls_ciphers = high >> smtp_tls_mandatory_ciphers = high >> smtpd_tls_ciphers = high >> smtpd_tls_mandatory_ciphers = high >> tls_high_cipherlist = >> ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH > > Please stop. > > In trying to make your server "more secure" you're making it less secure. > See https://tools.ietf.org/html/rfc7435 for why. > > The reason outgoing mail is not using ECDSA is that almost nobody has > configured > ECDSA certificates along with their RSA certificates on their MX hosts. No > matter > how fancy your SMTP client configuration the server won't suddenly acquire an > ECDSA > key-pair. >
Thanks for the insights, gmail for example works as i mentioned before. Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH” is a default postfix configuration - and i do not change it - just by adding ECDSA at the beginning, i am changing order of ciphers. And you stated that "OpenSSL prefers ECDSA to RSA by default.” - that’s not true, you can see yourself in openssl ciphers command: openssl ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:…….. that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and ECDHE-ECDSA (i guess order is because that suite is similar in strength, maybe) > The fewer changes you make to the Postfix TLS cipher settings, the more likely > you're to have a reasonably secure and interoperable configuration. > > It is at this time not unreasonable to set "tls_preempt_cipherlist = yes" if > some of your SMTP clients have "poor" cipher preferences. > > You can also exclude some truly obsolete ciphers via: > > smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 > > which makes for a more compact TLS ClientHello. This is generally not > needed. Some of these exclusions might happen by default in a future > Postfix release. The MD5, kDH and kECDH ciphers are largely gone from > OpenSSL 1.1.0 and later. Only the eNULL MD5 cipher remains: > > $ openssl ciphers -v MD5:kDH:kECDH > NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 > > -- > Viktor. >
