On Fri, Jan 29, 2021 at 02:08:48PM +0100, Matus UHLAR - fantomas wrote:
> Excluding aNULL should not be needed on smtp port, but apparently
> is useful on ports with mandatory encryption.
It is only ever *needed* on the client side, when *authenticating* the
server. Postfix does that automatically when "smtp_tls_security_level"
is "higher" than "encrypt" (i.e. higher than mandatory encryption without
authentication, so either fingerprint, PKIX or DANE).
The only reason to disable aNULL is because some clueless "scorecard"
fails to report "green", when aNULL is enabled. The bug is in the
scorecard, not the server that supports aNULL.
https://tools.ietf.org/html/rfc7672#section-8.2
> This should probably be better:
>
> smtpd_tls_exclude_ciphers=MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
> smtpd_tls_mandatory_exclude_ciphers=aNULL
Mostly harmless, but not necessary.
> I borrowed from https://marc.info/?l=postfix-users&m=155509005512179&w=2
It seems I said much the same thing back then...
> >> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> >> smtp_tls_protocols = !SSLv2,!SSLv3
> >
> >There are default values, no need to set them explicitly.
>
> smtp_tls_mandatory_protocols could have ,!TLSv1 appended though.
> (some seem to recommend even ,!TLSv1.1)
No. That's unwise. Causes needless downgrades to cleartext.
> >> smtpd_tls_key_file = /etc/postfix/smtpout_slac_stanford_edu.key
> >> smtpd_tls_cert_file = /etc/postfix/smtpout_slac_stanford_edu.crt
> >
> >Make sure this includes any requisite intermediate CA certs.
>
> seems that if we provide smtpd_tls_CAfile with intermediate certificate to
> our certificate specified by smtpd_tls_cert_file, the authority gets added
> to certificate chain.
>
> I'm curious if this is intentional.
The problem with smtpd_tls_CAfile is that it also gets sent to the
client as a list of acceptable CAs (but I failed to mention the
precondition that this only happens when requesting of client certs is
enabled). It is better to put the intermediate certs in the cert
chain file, than to pray that they might be found in CAfile.
Just don't bother with CAfile unless you absolutely must have one.
--
Viktor.
