Loading ...
Sorry, an error occurred while loading the content.

295756Re: postfix hardening - what can we do?

Expand Messages
  • Viktor Dukhovni
    Oct 4, 2013
      On Fri, Oct 04, 2013 at 11:21:34AM -0400, micah wrote:

      > > By default the server picks the client's most preferred cipher that
      > > is also available on the server. You can set "tls_preempt_cipherlist
      > > = yes" to have the server use its most preferred cipher supported
      > > by the client. This could break some fragile clients that offer
      > > ciphers (at a low preference) whose implementation is broken.
      > That is interesting. I tried to preempt the cipherlist and disable ECDHE
      > to avoid the NIST curves, but couldn't get postfix to exclude that
      > cipher using smtpd_tls_exclude_ciphers.

      You using an interface that is too low level. To disable EECDH support
      set the EECDH grade to "none"

      smtpd_tls_eecdh_grade = none

      You don't need to change the preempt setting for this, disabled
      algorithms are never selected.

      > It wasn't clear to me from
      > http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers what
      > the correct syntax to use there is, I tried kxECDHE but that didn't work
      > either. Do you what format those are specified in?

      I prefer to discourage explicit use of the low level OpenSSL cipher
      settings. They are there for emergencies, but Postfix works hard
      to avoid any need for users to set these.

      As I mentioned before, there is really no rational basis for making
      any changes in this space. We don't know which of the crypto
      primitives are compromised if any. If you are using TLS, that's
      much stronger than plaintext, the rest is largely immaterial.

    • Show all 14 messages in this topic