Op 23-09-2021 om 22:26 schreef Viktor Dukhovni:
On Thu, Sep 23, 2021 at 10:02:26PM -0400, David Mandelberg wrote:
With the settings below, postfix 3.5.6 and openssl 1.1.1k successfully
connected to a server with a 2048-bit RSA key, which should be
disallowed by openssl's security level 4.
Postfix explicitly overrides the security level to 0 for the "may"
and "encrypt" security levels, and 1 for all higher levels.
Ok, that's what I thought was going on, thanks for confirming it.
Coincidentally, Wietse and I were just discussing the possibility of
making the authenticated TLS security level configurable. Not that
its actually a good idea in most cases to turn it up to 11.
That would be great if it were configurable. It would also be a lot
easier that messing with cipher lists.
No, we're just helping you to avoid wasting your time to erect unnecessary
interoperability barriers. :-)
Interoperability is almost a complete non-issue for what I'm trying to
use level 4 with. My plan was to use level 4 for purely internal
connections between my own postfix servers, and from postfix to dovecot.
Then I'd use level 2 from thunderbird/k-9/etc. to postfix and from
postfix to my upstream relay, and level 0 from the general internet to
postfix. (Level 3 would be fine too for the first group, but 4 seems
just as easy to set up for that limited set of computers, so why not.)
One could make a weak case that on SUBMIT ports (465 and 587) the SMTP
server should set a high floor on TLS parameters to assure a secure
connection from clients, but this would mostly be a mirage.
It's a mirage for emails destined to a different domain, yes. (Unless
you make some out-of-band agreement and configuration with that domain.)
Is there a reason it's also a mirage for emails that don't leave the
administrative domain? It seems like it shouldn't be that hard to
require authenticated TLS for the entire path within my own domain.
You get security by raising the ceiling not the floor (see also
<https://datatracker.ietf.org/doc/html/rfc7435>). Barring rather novel
handshake protocol downgrade attacks on TLS 1.2, the client and server
will negotiate the stongest mutually available ciphers. Setting high
floors is counter-productive for SMTP and mostly a bad idea also for
SUBMIT, unless you expect to be supporting users with exceedingly
outdated software on their systems, which you want to force them to
upgrade by refusing connectivity.
I want to refuse connectivity between my own computers if they're
misconfigured. For interoperability with other people's computers, I
plan to use much looser settings.
