On Tue, Mar 16, 2021 at 05:51:07PM +0100, Matus UHLAR - fantomas wrote:
> >When the Postfix TLS security level requires authentication (mandatory
> >TLS stronger than just "encrypt"), Postfix automatically disables the
> >aNULL ciphers internally. You never need to do explicitly, except to
> >satisfy some clueless auditor's checklist.
>
> when did postfix start doing that?
IIRC Postfix 2.3, when security levels were introduced. Note this is
about smtp(8) (the Postfix SMTP client).
> I noticed that nessus reports aNULL available on 465 and 587 with:
> smtpd_tls_exclude_ciphers =
> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
The SMTP server (smtpd(8)) only supports "may" or "encrypt", and
generally does not have any certificates to validate. When you enable
requesting client certificates, aNULL is again automatically disabled.
> when I have added:
> smtpd_tls_mandatory_exclude_ciphers = aNULL
>
> situation changed with aNULL only on 25.
But why do you feel compelled to do this? What's the point?
https://tools.ietf.org/html/rfc7672#section-8.2
Again, you're making check boxes go green, not actually addressing real
security issues.
--
Viktor.
