Re: Trouble with STARTTLS...Connection lost

Tue, 16 Mar 2021 09:51:55 -0700 

Hello,


>On Fri, Jan 29, 2021 at 06:53:09PM +0100, Matus UHLAR - fantomas wrote:
>> yes, but when the policy is encryption required for client-server
>> connections, aNULL would break that IIUC
>> - please correct me if I'm wrong



On 29.01.21 15:09, Viktor Dukhovni wrote:
>You're wrong.  The "a" in aNULL ciphers stands for "authentication".
>These ciphers just do anonymous Diffie-Hellman, but do not authenticate
>either party.  They encrypt the traffic just as well as the ciphers
>that present certificates that you ignore anyway.



On Sat, Jan 30, 2021 at 06:49:42PM +0100, Matus UHLAR - fantomas wrote:

so, the connection/encryption would work, but with aNULL will be
unauthenticated, which means certificates won't be checked?


On 30.01.21 14:59, Viktor Dukhovni wrote:

No, with aNULL certificates are not even *sent* (exchanged between
client and server).  With opportunistic TLS (security level "may")
the "!aNULL" ciphers send server certificates the client never
checks (sends mail anyway, regardless of the content of the
certificate).

When the Postfix TLS security level requires authentication (mandatory
TLS stronger than just "encrypt"), Postfix automatically disables the
aNULL ciphers internally.  You never need to do explicitly, except to
satisfy some clueless auditor's checklist.


when did postfix start doing that?

I noticed that nessus reports aNULL available on 465 and 587 with:
smtpd_tls_exclude_ciphers = 
MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES

when I have added:
smtpd_tls_mandatory_exclude_ciphers = aNULL

situation changed with aNULL only on 25.

this is debian 10 with postfix 3.4.14, with patches available at:
https://sources.debian.org/src/postfix/3.4.14-0+deb10u1/debian/patches/

may this one cause the issue?

https://sources.debian.org/src/postfix/3.4.14-0+deb10u1/debian/patches/tls_version.diff/
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759























					Reply via email to