Viktor,
On Wed, Nov 7, 2018, at 12:03 AM, Viktor Dukhovni wrote:
> Check your logs for evidence of TLS <= 1.2 ciphers
Doing the quick check you mentioned, first for my messy 'test' server, results
are just
11 TLS_AES_256_GCM_SHA384
Those log messages, for me, are all generated on internal connections, e.g.,
/var/log/postfix/postfix.log:Nov 4 15:21:45 mx
postfix/postscreen-internal/smtpd[15675]: Anonymous TLS connection established
from mx.example.com[XX.XX.XX.XX]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits)
IIUC (?), 'something' in my current config, is enabling that internal use of
the TLS_AES_256_GCM_SHA384 cipher ... and, if I were to disable
'keyEncipherment' and generate/use new certs, I'd likely drop to cleartext?
Here, atm,
cat master.cf
[mx.example.com]:25 inet n - n - 1 postscreen
-o postscreen_tls_security_level=may
-o smtpd_service_name=postscreen-internal
...
postscreen-internal pass - - n - - smtpd
-o syslog_name=postfix/postscreen-internal
-o smtpd_tls_security_level=may
...
and
cat main.cf
...
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_mandatory_protocols =
$smtpd_tls_mandatory_protocols
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_eecdh_grade = auto
tls_eecdh_auto_curves = X25519 X448 secp384r1 prime256v1
secp521r1
tls_preempt_cipherlist = yes
tls_high_cipherlist =
!PSK:!aDSS:!MD5:!kECDH:!kDH:!RC2:!RC5:!IDEA:!SEED!CAMELLIA:AEAD:-AEAD:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:@STRENGTH
tls_medium_cipherlist =
!PSK:!aDSS:!MD5:!kECDH:!kDH:!RC2:!RC5:!IDEA:!SEED!CAMELLIA:AEAD:-AEAD:CHACHA20:-CHACHA20:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = EXPORT, LOW, RC4, eNULL,
NULL
tlsproxy_tls_mandatory_exclude_ciphers =
$smtpd_tls_mandatory_exclude_ciphers
...
If, in fact, I need to NOT use the "non-PFS RSA key transport", even for that
internal transport, would I need to specifically, additionally exclude a
particular cipher/protocol here?
Or is it simply not an issue, and unaffected, for this internal transport?
For that matter, is it possible to specifically limit that internal transport
to a specific, efficient but secure, cipher?
I suspect it all needs a modernizing clean-up, since, admittedly, it's a bit
long-in-the-tooth ...
