Hello Viktor,
Thanks for your feedback and for the link ! Will configure 2048-bit DHE
since I'm using a version older than 3.1.
Maarten
On 2017-12-02 20:13, Viktor Dukhovni wrote:
On Dec 2, 2017, at 12:08 PM, Maarten <mailingli...@feedmebits.nl>
wrote:
I setup my postfix mailserver a while ago with tls settings from:
http://www.postfix.org/TLS_README.html
http://www.postfix.org/FORWARD_SECRECY_README.html
I don't know much about TLS settings so I used the settings which
seemed be important in the documentation.
When scanning my server with: https://www.hardenize.com
Such caution is appropriate, some similar scanners are created by
crypto
zealots who don't understand opportunistic TLS, and give frankly
useless
or stupid recommendations. See:
https://tools.ietf.org/html/rfc7435
for a more pragmatic and generally more effective mindset.
I got some results that need improvement:
- Server doesn't enforce cipher suite preferences: Servers that don't
enforce cipher suite preferences select the first cipher suite they
support from the list provided by clients. This approach doesn't
guarantee that best-possible cipher suite is negotiated.
This makes little difference. And who's to say the server knows better
than the
client. Both are MTAs.
- Weak key exchange detected: his server uses key exchange parameters
that are
weak. When using the ephemeral Diffie-Hellman key exchange (DHE),
parameters
below 2048 bits are considered insecure. For sufficient security, use
2048-bit
parameters. It is generally not advisable to use stronger key exchange
because
there is a measurable performance penalty and there is no meaningful
increase
in security. A well-configured TLS server should generally prefer the
faster
ECDHE key exchange anyway.
The FORWARD_SECRECY_README tutorial also recommends 2048-bit DHE
parameters.
See there for details.
- Reconfigure server to use forward secrecy and authenticated
encryption:
This is wrong, what this site calls "authenticated encryption"
(actually
AEAD) is actually rather more fragile than CBC with HMAC, relying on
non-reuse of "nonces" that can be difficult to achieve. The various
attacks on CBC are browser-specific and have been addressed via the
"encrypt-then-mac" extension in modern TLS 1.2 stacks. If both sides
support TLS 1.2 with encrypt-then-mac, you're likely safer than with
the more fashionable AEAD.
Even though this server supports TLS 1.2, the cipher suite
configuration is
suboptimal. We recommend that you reconfigure the server so that the
cipher
suites providing forward secrecy (ECDHE or DHE in the name, in this
order of
preference) and authenticated encryption (GCM or CHACHA20 in the name)
are
at the top. The server must also be configured to select the
best-available
suite.
The Postfix cipher order is just fine.
So I was wondering what are the recommended TLS settings for a postfix
mailserver
now days? And what settings do I need to improve these points pointed
out by this
scan?
Use the Postfix defaults, but configure 2048-bit DHE if your Postfix is
older
than 3.1. Starting with 3.1 the default built-in DHE parameters use a
2048-bit
prime. You can of course still generate your own, for a bit of extra
diversity
even with Postfix >= 3.1.
