On Fri, Jan 29, 2021 at 02:08:48PM +0100, Matus UHLAR - fantomas wrote:
Excluding aNULL should not be needed on smtp port, but apparently
is useful on ports with mandatory encryption.
On 29.01.21 11:53, Viktor Dukhovni wrote:
It is only ever *needed* on the client side, when *authenticating* the
server. Postfix does that automatically when "smtp_tls_security_level"
is "higher" than "encrypt" (i.e. higher than mandatory encryption without
authentication, so either fingerprint, PKIX or DANE).
The only reason to disable aNULL is because some clueless "scorecard"
fails to report "green", when aNULL is enabled. The bug is in the
scorecard, not the server that supports aNULL.
https://tools.ietf.org/html/rfc7672#section-8.2
This should probably be better:
smtpd_tls_exclude_ciphers=MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
smtpd_tls_mandatory_exclude_ciphers=aNULL
Mostly harmless, but not necessary.
yes, but when the policy is encryption required for client-server
connections, aNULL would break that IIUC
- please correct me if I'm wrong
I borrowed from https://marc.info/?l=postfix-users&m=155509005512179&w=2
It seems I said much the same thing back then...
>> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
>> smtp_tls_protocols = !SSLv2,!SSLv3
>
>There are default values, no need to set them explicitly.
smtp_tls_mandatory_protocols could have ,!TLSv1 appended though.
(some seem to recommend even ,!TLSv1.1)
No. That's unwise. Causes needless downgrades to cleartext.
not for tls_mandatory* where it should cause temporary error.
however I mistook smtp_ for smtpd_ which makes some difference...
>> smtpd_tls_key_file = /etc/postfix/smtpout_slac_stanford_edu.key
>> smtpd_tls_cert_file = /etc/postfix/smtpout_slac_stanford_edu.crt
>
>Make sure this includes any requisite intermediate CA certs.
seems that if we provide smtpd_tls_CAfile with intermediate certificate to
our certificate specified by smtpd_tls_cert_file, the authority gets added
to certificate chain.
I'm curious if this is intentional.
The problem with smtpd_tls_CAfile is that it also gets sent to the
client as a list of acceptable CAs (but I failed to mention the
precondition that this only happens when requesting of client certs is
enabled). It is better to put the intermediate certs in the cert
chain file, than to pray that they might be found in CAfile.
Just don't bother with CAfile unless you absolutely must have one.
I just wanted to note that smtpd_tls_CAfile may be used for providing
intermediate certificate which can cause unwanted side effect with client
SSL authentication.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
