Loading ...
Sorry, an error occurred while loading the content.

Postfix TLS requirements

Expand Messages
  • Alex
    Hi, I have an existing old postfix TLS server set up and working successfully. It was created several years ago and has been working fine ever since.I m
    Message 1 of 10 , Mar 1, 2010
    • 0 Attachment
      Hi,

      I have an existing old postfix TLS server set up and working
      successfully. It was created several years ago and has been working
      fine ever since.I'm wondering what the benefits would be with
      upgrading? In other words, I realize I can only support SSLv2, but are
      there other security designs and technologies that I would be
      encouraged to be able to support?

      What encryption/cipher/key length, session key options, etc, choices
      should I be making if I were to do this today?

      Under what circumstances would you want to choose only TLSv1 and not
      SSLv3 and TLSv1?

      Many of the HOWTOs and guides out there that I could find all pertain
      to older versions of postfix. Any word on when Ralph will be updating
      his book? :-) Is there a book you could recommend that covers
      SSLv3/TLSv1 and later versions of postfix?

      Thanks,
      Alex
    • Eray Aslan
      ... That is dificult to say without knowing what you are trying to protect, your threat model etc. If in doubt, go with the defaults. ... AFAIK, differences
      Message 2 of 10 , Mar 1, 2010
      • 0 Attachment
        On 02.03.2010 06:09, Alex wrote:
        > What encryption/cipher/key length, session key options, etc, choices
        > should I be making if I were to do this today?

        That is dificult to say without knowing what you are trying to protect,
        your threat model etc. If in doubt, go with the defaults.

        > Under what circumstances would you want to choose only TLSv1 and not
        > SSLv3 and TLSv1?

        AFAIK, differences between TLSv1 and SSLv3:
        * Expansion of cryptographic keys from the initially exchanged secret
        was improved
        * MAC construction mechanism modified into an HMAC
        * Mandatory support for Diffie-Hellman key exchange, the Digital
        Signature Standard, and Triple-DES encryption

        In practice, not much of a difference.

        > Many of the HOWTOs and guides out there that I could find all pertain
        > to older versions of postfix. Any word on when Ralph will be updating
        > his book? :-) Is there a book you could recommend that covers
        > SSLv3/TLSv1 and later versions of postfix?

        http://www.postfix.org/TLS_README.html

        Do not change the defaults without understanding the implications.
        Postfix defaults are not chosen randomly.

        --
        Eray
      • Victor Duchovni
        ... You don t have to upgrade Postfix. ... Most unlikely. I am not aware of any legacy versions of Postfix that support only SSLv2. Provided you have Postfix
        Message 3 of 10 , Mar 2, 2010
        • 0 Attachment
          On Mon, Mar 01, 2010 at 11:09:08PM -0500, Alex wrote:

          > I have an existing old postfix TLS server set up and working
          > successfully. It was created several years ago and has been working
          > fine ever since.

          You don't have to upgrade Postfix.

          > I'm wondering what the benefits would be with
          > upgrading? In other words, I realize I can only support SSLv2,

          Most unlikely. I am not aware of any legacy versions of Postfix that
          support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
          support is sufficiently modern and robust.

          > but are there other security designs and technologies that I would be
          > encouraged to be able to support?

          You should however upgrade OpenSSL to at least 0.9.8m, as many OpenSSL
          security issues have been addressed in the mean-time.

          If you legacy Postfix is linked with OpenSSL 0.9.7x, then and only then
          do you need to upgrade both (re-compile Postfix with OpenSSL 0.9.8).

          OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
          strongly recommend OpenSSL 1.0.0 over 0.9.8.

          > What encryption/cipher/key length, session key options, etc, choices
          > should I be making if I were to do this today?

          Use the default settings.

          > Under what circumstances would you want to choose only TLSv1 and not
          > SSLv3 and TLSv1?

          Use the default settings. With sufficiently recent versions of Postfix
          the default is to disable SSLv2 in the SMTP client:

          smtp_tls_protocols = !SSLv2

          if your Postfix supports this parameter, it already defaults to this
          value.

          --
          Viktor.

          P.S. Morgan Stanley is looking for a New York City based, Senior Unix
          system/email administrator to architect and sustain our perimeter email
          environment. If you are interested, please drop me a note.
        • Alex
          Hi, ... I m not happy saying that it s probably older than that. ... Will it be compatible with other programs compiled against 0.9.*? ... How can I found out
          Message 4 of 10 , Mar 2, 2010
          • 0 Attachment
            Hi,

            > Most unlikely. I am not aware of any legacy versions of Postfix that
            > support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
            > support is sufficiently modern and robust.

            I'm not happy saying that it's probably older than that.

            > OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
            > strongly recommend OpenSSL 1.0.0 over 0.9.8.

            Will it be compatible with other programs compiled against 0.9.*?

            >> What encryption/cipher/key length, session key options, etc, choices
            >> should I be making if I were to do this today?
            >
            > Use the default settings.

            How can I found out what those defaults are? Is this what I should
            expect to see on a modern implementation?

            Mar 1 00:00:39 smtp0 postfix/smtp[6676]: TLS connection established
            to smtp.mydomain.com TLSv1 wit
            h cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)

            Is that a characteristic of the certificate that was created or how
            postfix was compiled or otherwise?

            Thanks,
            Alex
          • Victor Duchovni
            ... Older versions of Postfix still support SSLv3 and TLSv1, but the TLS code in Postfix in those releases has some warts, so if you want more than
            Message 5 of 10 , Mar 2, 2010
            • 0 Attachment
              On Tue, Mar 02, 2010 at 01:15:17PM -0500, Alex wrote:

              > > Most unlikely. I am not aware of any legacy versions of Postfix that
              > > support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
              > > support is sufficiently modern and robust.
              >
              > I'm not happy saying that it's probably older than that.

              Older versions of Postfix still support SSLv3 and TLSv1, but the TLS
              code in Postfix in those releases has some warts, so if you want more
              than opportunistic TLS support, you need 2.3 or later.

              > > OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
              > > strongly recommend OpenSSL 1.0.0 over 0.9.8.
              >
              > Will it be compatible with other programs compiled against 0.9.*?

              Source-compatible: yes. Binary-compatible: no. Code needs to be
              re-compiled to run with OpenSSL 1.0.0.

              > >> What encryption/cipher/key length, session key options, etc, choices
              > >> should I be making if I were to do this today?
              > >
              > > Use the default settings.
              >
              > How can I found out what those defaults are? Is this what I should
              > expect to see on a modern implementation?

              Postfix settings are documented in postconf(5). Unless you are an SSL
              expert who understands OpenSSL source code in detail, you really should
              not change the default settings, and generally don't need to know what
              they are.

              > Mar 1 00:00:39 smtp0 postfix/smtp[6676]: TLS connection established
              > to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
              >
              > Is that a characteristic of the certificate that was created or how
              > postfix was compiled or otherwise?

              The remote system or your OpenSSL library or both do not support AES.
              AES support in OpenSSL was added in OpenSSL 0.9.7. If you have OpenSSL
              0.9.6, you lack modern ciphers and have a bunch of unfixed SSL security
              issues.

              Bulk encryption cipher-suites have only a tangential connection to
              certificates. The same certificate would have worked with AES256,
              if both sides supported it.

              --
              Viktor.

              P.S. Morgan Stanley is looking for a New York City based, Senior Unix
              system/email administrator to architect and sustain our perimeter email
              environment. If you are interested, please drop me a note.
            • Alex
              Hi, ... So is it at OpenSSL compile time that the ciphers would be specified and determined whether or not to make them available to postfix? Then when postfix
              Message 6 of 10 , Mar 2, 2010
              • 0 Attachment
                Hi,

                > Postfix settings are documented in postconf(5). Unless you are an SSL
                > expert who understands OpenSSL source code in detail, you really should
                > not change the default settings, and generally don't need to know what
                > they are.

                So is it at OpenSSL compile time that the ciphers would be specified
                and determined whether or not to make them available to postfix? Then
                when postfix is built, it is able to interpret at that time how to
                integrate and make available the ciphers provided to it by OpenSSL?

                > to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)

                The 168/168 is a reference to the session key, correct? Configured for
                tlsmgr at run-time?

                > The remote system or your OpenSSL library or both do not support AES.

                Okay, can I draw the conclusion that the cipher shown is the
                "strongest" available on either the remote or local system? It's not
                possible to figure out which ciphers are offered to TLS clients on my
                server?

                Thanks so much.
                Best regards,
                Alex
              • Victor Duchovni
                ... Largely yes, but this sounds like the wrong question. What real problem are you trying to solve? ... No. ... Yes, the strongest supported by both subject
                Message 7 of 10 , Mar 2, 2010
                • 0 Attachment
                  On Tue, Mar 02, 2010 at 02:42:37PM -0500, Alex wrote:

                  > > Postfix settings are documented in postconf(5). Unless you are an SSL
                  > > expert who understands OpenSSL source code in detail, you really should
                  > > not change the default settings, and generally don't need to know what
                  > > they are.
                  >
                  > So is it at OpenSSL compile time that the ciphers would be specified
                  > and determined whether or not to make them available to Postfix?

                  Largely yes, but this sounds like the wrong question. What real problem
                  are you trying to solve?

                  > Then when postfix is built, it is able to interpret at that time how to
                  > integrate and make available the ciphers provided to it by OpenSSL?
                  >
                  > > to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
                  >
                  > The 168/168 is a reference to the session key, correct? Configured for
                  > tlsmgr at run-time?

                  No.

                  > > The remote system or your OpenSSL library or both do not support AES.
                  >
                  > Okay, can I draw the conclusion that the cipher shown is the
                  > "strongest" available on either the remote or local system?

                  Yes, the strongest supported by both subject to the preference order of
                  the server or the client at the server's discretion.

                  > It's not
                  > possible to figure out which ciphers are offered to TLS clients on my
                  > server?

                  It is possible, but you will most likely shoot yourself in the foot if
                  you try to use this information to adjust Postfix settings.

                  The Postfix defaults are chosen carefully, and act a barrier between
                  shotgun and foot. What real problem are you trying to solve.

                  --
                  Viktor.

                  P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                  system/email administrator to architect and sustain our perimeter email
                  environment. If you are interested, please drop me a note.
                • Alex
                  Hi, ... Well, I m now really just trying to better understand what it all means. I m sure to think I could do a better job than postfix itself would be a
                  Message 8 of 10 , Mar 2, 2010
                  • 0 Attachment
                    Hi,

                    >> It's not
                    >> possible to figure out which ciphers are offered to TLS clients on my
                    >> server?
                    >
                    > It is possible, but you will most likely shoot yourself in the foot if
                    > you try to use this information to adjust Postfix settings.
                    >
                    > The Postfix defaults are chosen carefully, and act a barrier between
                    > shotgun and foot. What real problem are you trying to solve.

                    Well, I'm now really just trying to better understand what it all
                    means. I'm sure to think I could do a better job than postfix itself
                    would be a mistake.

                    Where did postfix get the information to make its decision? I don't
                    see how it put together that chain of encryption and authentication to
                    build the tunnel.

                    Thanks,
                    Alex
                  • Victor Duchovni
                    ... Postfix selects sensibly strong protocols and ciphers for opportunistic and mandatory TLS respectively. ... The documentation is in TLS_README.html The
                    Message 9 of 10 , Mar 2, 2010
                    • 0 Attachment
                      On Tue, Mar 02, 2010 at 04:04:29PM -0500, Alex wrote:

                      > >> It's not
                      > >> possible to figure out which ciphers are offered to TLS clients on my
                      > >> server?
                      > >
                      > > It is possible, but you will most likely shoot yourself in the foot if
                      > > you try to use this information to adjust Postfix settings.
                      > >
                      > > The Postfix defaults are chosen carefully, and act a barrier between
                      > > shotgun and foot. What real problem are you trying to solve.
                      >
                      > Well, I'm now really just trying to better understand what it all
                      > means. I'm sure to think I could do a better job than postfix itself
                      > would be a mistake.

                      Postfix selects sensibly strong protocols and ciphers for opportunistic
                      and mandatory TLS respectively.

                      > Where did postfix get the information to make its decision?

                      The documentation is in TLS_README.html

                      The OpenSSL library implements a (powerful, but fragile) cipher selection
                      language. Postfix uses the OpenSSL cipher selection language with care to
                      implement less flexible, but more robust/intuitive cipher "grade" levels
                      and selects the grade automatically based on the destination policy.

                      > I don't
                      > see how it put together that chain of encryption and authentication to
                      > build the tunnel.

                      Avoiding all temptation to tweak the underlying SSL details and work
                      with the higher level Postfix interface:

                      http://www.postfix.org/TLS_README.html#client_tls_limits
                      http://www.postfix.org/TLS_README.html#client_tls_levels
                      http://www.postfix.org/TLS_README.html#client_tls_may
                      http://www.postfix.org/TLS_README.html#client_tls_encrypt
                      http://www.postfix.org/TLS_README.html#client_tls_secure
                      http://www.postfix.org/TLS_README.html#client_tls_policy

                      --
                      Viktor.

                      P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                      system/email administrator to architect and sustain our perimeter email
                      environment. If you are interested, please drop me a note.
                    • Alex
                      Hi, ... I have a much better understanding now. Thanks so much for your help. I ve got quite a bit of reading ahead of me. Best regards, Alex
                      Message 10 of 10 , Mar 3, 2010
                      • 0 Attachment
                        Hi,

                        > The OpenSSL library implements a (powerful, but fragile) cipher selection
                        > language. Postfix uses the OpenSSL cipher selection language with care to
                        > implement less flexible, but more robust/intuitive cipher "grade" levels
                        > and selects the grade automatically based on the destination policy.

                        I have a much better understanding now. Thanks so much for your help.

                        I've got quite a bit of reading ahead of me.

                        Best regards,
                        Alex
                      Your message has been successfully submitted and would be delivered to recipients shortly.