Re: possible to reach hardenize's requirements?

Viktor Dukhovni Fri, 12 Apr 2019 08:37:26 -0700

> On Apr 12, 2019, at 10:46 AM, micah anderson <[email protected]> wrote:
> 
> I know that 'hardening postfix' threads have been posted here a number
> of times, I've read them and I understand the recommendations if you
> want to continue delivering and accepting email from the internet. What
> I'm trying to find out if there is a way to thread the needle: favor
> "better" ciphers, while limiting the impact to ancient software. I say
> 'limit' because I realize that even just turning on
> `tls_preempt_cipher_list=yes` will already cause problems with Windows
> 2000 Microsoft Exchange, but I feel that may be an acceptable trade-off
> at this point.


Any reasonably recent version of OpenSSL will by default favour stronger
ciphers, including listing ciphers that do forward-secrecy above the rest.
For example, with OpenSSL 1.0.2 I get:

$ openssl ciphers -v 'HIGH+AES:!eNULL:!PSK:!SRP:!aDSS:!kDH:!kECDH:!aNULL'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) 
Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) 
Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

The 'HIGH+AES:!eNULL:!PSK:!SRP:!aDSS:!kDH:!kECDH:!aNULL' is not intended as a
recommended configuration, rather it cuts down on some of the noise, showing
the overall cipher order for just AES.  The top nine ciphers all offer
forward-secrecy.

That said, I would recommend reducing the attack surface by dropping some
ciphers nobody is using that would not be a good idea to use:

        smtpd_tls_exclude_ciphers = aDSS, kDH, kECDH, SEED, IDEA

you could add RC4 and 3DES to the list if Exchange 2003 is no longer on your
radar.

-- 
        Viktor.

Re: possible to reach hardenize's requirements?

Reply via email to