> On Dec 2, 2017, at 12:08 PM, Maarten <mailingli...@feedmebits.nl> wrote:
>
> I setup my postfix mailserver a while ago with tls settings from:
>
> http://www.postfix.org/TLS_README.html
>
> http://www.postfix.org/FORWARD_SECRECY_README.html
>
> I don't know much about TLS settings so I used the settings which seemed be
> important in the documentation.
>
> When scanning my server with: https://www.hardenize.com
Such caution is appropriate, some similar scanners are created by crypto
zealots who don't understand opportunistic TLS, and give frankly useless
or stupid recommendations. See:
https://tools.ietf.org/html/rfc7435
for a more pragmatic and generally more effective mindset.
> I got some results that need improvement:
>
> - Server doesn't enforce cipher suite preferences: Servers that don't enforce
> cipher suite preferences select the first cipher suite they support from the
> list provided by clients. This approach doesn't guarantee that best-possible
> cipher suite is negotiated.
This makes little difference. And who's to say the server knows better than the
client. Both are MTAs.
> - Weak key exchange detected: his server uses key exchange parameters that
> are
> weak. When using the ephemeral Diffie-Hellman key exchange (DHE), parameters
> below 2048 bits are considered insecure. For sufficient security, use 2048-bit
> parameters. It is generally not advisable to use stronger key exchange because
> there is a measurable performance penalty and there is no meaningful increase
> in security. A well-configured TLS server should generally prefer the faster
> ECDHE key exchange anyway.
The FORWARD_SECRECY_README tutorial also recommends 2048-bit DHE parameters.
See there for details.
> - Reconfigure server to use forward secrecy and authenticated encryption:
This is wrong, what this site calls "authenticated encryption" (actually
AEAD) is actually rather more fragile than CBC with HMAC, relying on
non-reuse of "nonces" that can be difficult to achieve. The various
attacks on CBC are browser-specific and have been addressed via the
"encrypt-then-mac" extension in modern TLS 1.2 stacks. If both sides
support TLS 1.2 with encrypt-then-mac, you're likely safer than with
the more fashionable AEAD.
> Even though this server supports TLS 1.2, the cipher suite configuration is
> suboptimal. We recommend that you reconfigure the server so that the cipher
> suites providing forward secrecy (ECDHE or DHE in the name, in this order of
> preference) and authenticated encryption (GCM or CHACHA20 in the name) are
> at the top. The server must also be configured to select the best-available
> suite.
The Postfix cipher order is just fine.
> So I was wondering what are the recommended TLS settings for a postfix
> mailserver
> now days? And what settings do I need to improve these points pointed out by
> this
> scan?
Use the Postfix defaults, but configure 2048-bit DHE if your Postfix is older
than 3.1. Starting with 3.1 the default built-in DHE parameters use a 2048-bit
prime. You can of course still generate your own, for a bit of extra diversity
even with Postfix >= 3.1.
--
Viktor.
