On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users wrote:
> Would someone please describe the configuration settings needed to support > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > configuration files: This is not the right question. Some "weak" ciphers are appropriate in opportunistic TLS, because they are better than cleartext. This applies when they are still the best available to a non-negligible set of peers. - Provided your system prefers stronger ciphers, and the offered "weak" ciphers don't put the integrrity of the handshake at risk, weak ciphers are fine, provided strong ones are preferred. > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem This is not needed. Consider setting "tls_preempt_cipherlist = yes". > Here's what I see when I use nmap to retrieve the supported ciphers (note > that there are only TLS 1.2 ciphers listed, and some are weak): What do you consider weak? > 587/tcp open submission > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A > | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org