On Thu, Jan 24, 2019 at 05:19:44PM -0500, Scott Kitterman wrote:
> I'm the Debian postfix
> maintainer and part of why I'm on this list is to help with our distro
> specific issues.
Speaking of "distro-specific issues", I just today came across a
Debian "buster" system where the OpenSSL version is 1.1.1, and the
default /etc/ssl/openssl.cnf file has an ssl module configuration
section:
# System default
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
While Postfix 3.4, if compiled against OpenSSL 1.1.1b (once that
version is released), will be able to opt-out of processing the
system-wide default file, Postfix 3.3 or 3.4 with OpenSSSL 1.1.x
prior to 1.1.1b, will unconditionally load this configuration.
Fortunately, the rather strict CipherString will have no effect,
since Postfix always overrides the cipherlist. Still I should note
that in other applications @SECLEVEL=2 yields a 2048-bit floor on
RSA certs, which may be too strict, there's not much evidence of
practical attacks 1280-bit or 1536-bit certs, and even attacks on
1024-bit RSA are largely speculative. The other thing to note here
is that the correct syntax is "DEFAULT:@SECLEVEL=2".
The missing ":" works only "by accident", as a side-effect of the
special-case manner in which the "DEFAULT" cipher is implemented.
If the first component were anything other than "DEFAULT" it would
break.
More importantly however, the "MinProtocol" setting will affect
Postfix, and there is as yet no mechanism in Postfix to override
this. Postfix 3.4 will make it possible to set the "applicaton
name" to "postfix" or similar, and edit the /etc/ssl/openssl.cnf
file to include:
# System default
postfix = postfix_conf
[postfix_conf]
ssl_conf = postfix_ssl_sect
[postfix_ssl_sect]
system_default = postfix_ssl_sect
[postfix_default_sect]
MinProtocol = TLSv1
While MTAs running only SSLv3 are largely behind us, I am less
confident that TLSv1-only systems are gone. Some users may have
trouble doing TLS with peers that support only TLSv1 or TLSv1.1.
This may be especially important with submission, where various
peripheral devices (fax-to-email, printers, ...) may only support
TLSv1. So the "buster" system-wide default of TLSv1.2 and up may
cause problems.
--
Viktor.
