On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users
wrote:
> Would someone please describe the configuration settings needed to support
> TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> configuration files:
This is not the right question. Some "weak" ciphers are appropriate in
opportunistic TLS, because they are better than cleartext. This applies
when they are still the best available to a non-negligible set of peers.
- Provided your system prefers stronger ciphers, and the offered
"weak" ciphers don't put the integrrity of the handshake at
risk, weak ciphers are fine, provided strong ones are preferred.
> smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
This is not needed. Consider setting "tls_preempt_cipherlist = yes".
> Here's what I see when I use nmap to retrieve the supported ciphers (note
> that there are only TLS 1.2 ciphers listed, and some are weak):
What do you consider weak?
> 587/tcp open submission
> | ssl-enum-ciphers:
> | TLSv1.2:
> | ciphers:
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> | TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> | TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
> | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
