On Mon, Jan 10, 2022 at 11:17:12AM -0500, Alex wrote:
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) offered (NOT ok)
In addition to the text in TLS_README, see:
https://datatracker.ietf.org/doc/html/rfc7672#section-8.2
> Obsoleted CBC ciphers (AES, ARIA etc.) offered
Support for AEAD ciphers, is AFAIK not yet universal among SMTP clients.
Attacks on CBC ciphers are browser-specific.
Postfix supports and prefers AEAD ciphers when available. It is at this
point in time quite safe to set "tls_preempt_cipherlist = yes", which
allows the server to choose the best option presented by the client.
There are no known downgrade attacks that allow an MiTM to force a
client and server to choose a non-AEAD cipher when both ends support
(and the client or server prefers AEAD).
Thus the presence of CBC on the cipher list aids interoperability with
legacy clients without in any way reducing security for clients that
support AEAD. I see no reason to disable CBC ciphers in (port 25) SMTP
at this time.
On your submission ports (465 and/or 587), you can be as strict as the
software used by your own users allows you to be. But fine-tuned
explicit cipherlists are often worse than going with the defaults. Best
to mostly ignore the checklists that are tailored for HTTPS.
If some immovable bureaucratic requirement forces you to disable CBC
ciphers, you can disable all the non-AEAD ciphers by adding
SHA, SHA256, SHA384
to your cipher exclusions, but on port 25 this *will* do more harm than
good.
--
Viktor.
