Hi,
> > I have a postfix-3.5.10 system and having a little trouble configuring
> > it to ensure I'm not including any vulnerable ciphers. I had
> > previously posted about this issue in September, and thought I
> > followed the instructions I was given, but a recent security scan
> > (onsecurity) shows port 25 is still vulnerable to the SWEET32 attack.
>
> But it actually isn't. Sweet32 can only be used against very long-lived
> TLS sessions using obsolete ciphers. You have to do some hacking on
> OpenSSL code to get it to support a vulnerable cipher in recent
> versions.
>
> Fire that vendor, they lie to you.
I later learned they basically just ran testssl.sh against port 25 and
reported back. It's apparently a one-size-fits-all approach. It's
either "secure" or it's not.
> > Here are my current settings:
> > # postconf -n -c /etc/postfix-117|grep -E 'tls|cipher'
> > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> > smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> > smtp_tls_security_level = may
>
> This means that you will use plaintext for sending to many sites, rather
> than falling back to the almost universally supported TLSv1.0 on sites
> that can't do 1.2 or 1.3.
>
> The vulnerabilities I am aware of that justify sticking to v1.2/3 in
> web, IMAP, and database servers are not viable against SMTP because of
> the brief, non-repetitive, and largely unpredictable nature of the TLS
> sessions used by SMTP.
Would you explain what specifically about the above that's removed any
ability for clients to build an encrypted connection and require
cleartext?
Is it the exclusion of the use of any TLS version above 1.2?
Maybe the part I'm not understanding is whether it's possible to
somehow compromise the server if we offer older versions of TLS? What
is my exposure for allowing older versions of TLS?
> Very few people have the cryptography chops to usefully evaluate an
> extensive list of specific ciphers for maximal safety. 99.9% of such
> lists that you will find published are cargo-cult artifacts at some
> point, if only when you read the list from RH and drop it in to Postfix
> without deep analysis. If you're going to be like almost everyone and
> trust a third party to do such deep analysis, you have to choose your
> trusted authorities carefully. Trusting the Postfix developers (and
> perhaps the official packagers for your platform) is at least as safe as
> pulling a list from a RH page, and you get the bonus of your cipherlists
> being maintained by SOMEONE ELSE as long as you keep updating
> diligently.
Yes, which is exactly why I'm coming here, asking questions, and
trying to understand, instead of just blindly implementing something
from the interwebs.
Just to be clear, here's my current config:
smtpd_tls_security_level = may
smtp_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
Is excluding SSL and TLS for smtpd_tls_protocols above the same as
stipulating >=TLSv1.2 with smtpd_tls_mandatory_protocols?
Thanks,
Alex
