On Tue, Mar 16, 2021 at 05:51:07PM +0100, Matus UHLAR - fantomas wrote:
>When the Postfix TLS security level requires authentication (mandatory
>TLS stronger than just "encrypt"), Postfix automatically disables the
>aNULL ciphers internally. You never need to do explicitly, except to
>satisfy some clueless auditor's checklist.
when did postfix start doing that?
IIRC Postfix 2.3, when security levels were introduced. Note this is
about smtp(8) (the Postfix SMTP client).
I noticed that nessus reports aNULL available on 465 and 587 with:
smtpd_tls_exclude_ciphers =
MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES
The SMTP server (smtpd(8)) only supports "may" or "encrypt", and
generally does not have any certificates to validate. When you enable
requesting client certificates, aNULL is again automatically disabled.
when I have added:
smtpd_tls_mandatory_exclude_ciphers = aNULL
situation changed with aNULL only on 25.
On 19.03.21 14:05, Viktor Dukhovni wrote:
But why do you feel compelled to do this? What's the point?
https://tools.ietf.org/html/rfc7672#section-8.2
Again, you're making check boxes go green, not actually addressing real
security issues.
I mean, aNULL on port 25 is fine.
aNULL on port 465 and 587 is not fine, is it?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
