On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote:
> Is there a way to configure smtpd to only use specified ciphers or limit it
> to TLSv1.[12]?
> I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's
> `ssl_ciphers` or `ssl_protocols` configuration directives.

no, we don't want to make this tunable.

the rationale is that we want to propose the best encryption by default.
if there is a better choice, it should be proposed and discussed openly
as it should become the new default.

yes, it's tempting to provide ssl_ciphers but unless there's a very good
reason to do it, we won't introduce this new knob.

> The reason I ask is because I'm very close to failing my PCI compliance
> because of smptd. They score each compliance test from 0 to 9. If any single
> score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently
> receiving a risk score of 3.9. I have a feeling that in the not too distant
> future this particular test will fail.
> My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to
> information disclosure" because of the initialization vector implementations
> in SSLv3 and TLSv1.0.
> Thier stated resolution is:
> "Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
> Configure SSL/TLS servers to only support cipher suites that do not use
> block ciphers."

This can certainly be improved without adding ssl_ciphers knob

> I'm not a mail expert, but my feeling is that secured email hasn't been
> widespread until recent years. If any MTAs support encryption, they are
> probably using the latest protocols and ciphers.

That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years

Gilles Chehade

https://www.poolp.org                                          @poolpOrg

You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Reply via email to