Loading ...
Sorry, an error occurred while loading the content.

Re: Exim, DH, GnuTLS & interop

Expand Messages
  • Phil Pennock
    ... Hash: RIPEMD160 ... Okay, I have identified the root cause. The systems that need to be placated are older Debian installs, and the method should be
    Message 1 of 10 , Sep 3, 2013
    • 0 Attachment
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: RIPEMD160

      On 2013-09-01 at 19:02 -0400, Wietse Venema wrote:
      > Second, we have to be mindful that Postfix and Exim are not the
      > only MTAs in existence. If placating Exim results in the loss of
      > interoperability with other MTAs, then we may have to reconsider
      > our approach.

      Okay, I have identified the root cause. The systems that need to be
      placated are older Debian installs, and the method should be broadly
      compatible.

      Debian used to patch, in their build system, the value passed to
      gnutls_dh_set_prime_bits() from 1024 to 2048. This is the value of the
      size of the DH parameters which is the "minimum considered acceptable".
      So Debian broke interop with "66_enlarge-dh-parameters-size.dpatch".

      Those maintaining Exim/Postfix setups should upgrade Exim to a recent
      version; after my overhaul back in 4.80, Debian stopped changing the
      value in their patches.

      The most compatible thing I know of for Postfix users to do is to
      generate DH parameters of size 2048, or very slightly larger, but *not*
      larger than 2236, which was for some time the NSS value of
      DH_MAX_P_BITS.

      If anyone knows of an MTA with which interop would be broken by using
      server DH parameters of size 2048, please do let me know.

      - -Phil
      -----BEGIN PGP SIGNATURE-----

      iEYEAREDAAYFAlImO3EACgkQQDBDFTkDY39a6ACaA2XfA32nQ/x4m83xpFEjoB7r
      zK0AmQGZ9HSdaNELVjWQ+YaOZhXMMN0c
      =vd9e
      -----END PGP SIGNATURE-----
    • Peer Heinlein
      Am 03.09.2013 21:41, schrieb Phil Pennock: Hi, ... Great. Thanks to Phil and Viktor for their great work. Really THANKS. Debian should release a security fix
      Message 2 of 10 , Sep 3, 2013
      • 0 Attachment
        Am 03.09.2013 21:41, schrieb Phil Pennock:


        Hi,

        > Debian used to patch, in their build system, the value passed to
        > gnutls_dh_set_prime_bits() from 1024 to 2048. This is the value of the
        > size of the DH parameters which is the "minimum considered acceptable".
        > So Debian broke interop with "66_enlarge-dh-parameters-size.dpatch".
        >
        > Those maintaining Exim/Postfix setups should upgrade Exim to a recent
        > version; after my overhaul back in 4.80, Debian stopped changing the
        > value in their patches.

        Great. Thanks to Phil and Viktor for their great work. Really THANKS.

        Debian should release a security fix update for their old packages...
        That would be the best, fastest and most secure way to solve the problem
        finally.

        Peer


        --
        Heinlein Support GmbH
        Schwedter Str. 8/9b, 10119 Berlin

        http://www.heinlein-support.de

        Tel: 030 / 405051-42
        Fax: 030 / 405051-19

        Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
        Berlin-Charlottenburg,
        Geschäftsführer: Peer Heinlein -- Sitz: Berlin
      • Viktor Dukhovni
        ... Thanks, this is very useful. So the Postfix work-around for servers that want to receive email over TLS from the broken Debian systems is: # cd
        Message 3 of 10 , Sep 3, 2013
        • 0 Attachment
          On Tue, Sep 03, 2013 at 12:41:46PM -0700, Phil Pennock wrote:

          > Okay, I have identified the root cause. The systems that need to be
          > placated are older Debian installs, and the method should be broadly
          > compatible.
          >
          > Debian used to patch, in their build system, the value passed to
          > gnutls_dh_set_prime_bits() from 1024 to 2048. This is the value of the
          > size of the DH parameters which is the "minimum considered acceptable".
          > So Debian broke interop with "66_enlarge-dh-parameters-size.dpatch".

          Thanks, this is very useful. So the Postfix work-around for servers
          that want to receive email over TLS from the broken Debian systems is:

          # cd /etc/postfix
          # openssl dhparam -out dh2048.pem 2048
          # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'

          If your openssl(1) version is 1.0.0 or higher, your server may
          perform faster if you generate DSA-style parameters:

          # openssl dhparam -dsaparam -out dh2048.pem 2048

          The "smtpd_tls_dh1024_param_file" is in effect the DH parameter
          set for all non-export cipher-suites. It is OK to use a 2048-bit
          prime group in this context, provided the CPU cost is acceptable
          (generally TLS handshake CPU cost is not on the critical path for
          SMTP throughput) and no SMTP clients choke on the larger DH prime.

          No changes should be necessary for the default Postfix EECDH curve,
          it is strong enough to meet the default lower bounds for GnuTLS,
          and Debian likely did not patch this value (in GnuTLS rather than Exim).

          Only the "Ultra" priority String in GnuTLS requires EC curves with
          more than 256-bits:

          {
          "Ultra", /* Name */
          GNUTLS_SEC_PARAM_ULTRA, /* Enum */
          256, /* Symmetric bits */
          15424, /* RSA/EDH modulus bits */
          3072, /* DSA bits */
          512, /* subgroup bits */
          512 /* EC bits */
          },

          We can reasonably assume that no MTA is configured to use the
          "Ultra" security level as a default for all Internet destinations.

          --
          Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.