On Mon, May 08, 2023 at 06:13:25PM -0400, Wietse Venema via Postfix-users wrote:
> We're thinking of adding a few new settings to the stable Postfix
> releases that allow Postfix to regain some control over crypto
> policies that do not necessarily improve matters for SMTP where
> the main result would be more plaintext communication.
> With stable releases, it would not be approprriate to introduce a
> boatload of features, but plausible candidates are:
>
> tls_config_file = default | none(*) | /path/to/file
> (*)only OpenSSL 1.1.b and later
Minor correction, the base OpenSSL release that supports configuration
file overrides is "1.1.1b", rather than "1.1.b".
- The minimum OpenSSL version supported by Postfix 3.6 and later is 1.1.1.
- The OpenSSL version in which RedHat started introducing strict crypto
policies is OpenSSL 3.0.
This means that:
- If you're still using OpenSSL 1.0.2 (with Postfix <= 3.5) you
probably don't need to override the system-wide openssl.cnf file.
Though it may be possible to use:
import_environment =
... default value from "postconf -d"...
OPENSSL_CONF=/some/file
An empty file would be equivalent to "none".
- If you're using OpenSSL 1.1.1 or 1.1.1a, you also probably don't
need to override the system-wide openssl.cnf file. Same
work-around as before, or set the application name, and add
appropriate application settings in the system-wide file.
- If you're using OpenSSL 1.1.1b or later, and in particular 3.0
or, especially on a RedHat or Fedora system, you may choose to
override the system-wide configuration file or the application
name. Then, overly strict cryptographic policy will not result
in unnecessary downgrades to cleartext in opportunistic TLS.
We'll probably later have to extend support for tweaking additional
TLS-related settings through the "SSL_CONF" API, though that will have
the downside that non-expert users may end up cargo culting settings
that do more harm than good. I'll try to discourage this as much
as possible, but the target audience will be those who know what
they are doing, or are following sound advice.
One goal may be to make some of the crypto hardening conditional on the
TLS security level, which means different settings for different levels.
Hopefully more on this as 3.9 snapshots evolve.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
