[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

Wed, 28 Feb 2024 11:30:42 -0800 

Thanks, here's the output:

$ postconf -H | grep -E 'high|medium'
tls_high_cipherlist
tls_medium_cipherlist
$

Empty cipher lists?

Scott

> -----Original Message-----
> From: Wietse Venema via Postfix-users <postfix-users@postfix.org>
> Sent: Wednesday, February 28, 2024 2:18 PM
> To: Postfix users <postfix-users@postfix.org>
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> 
> Scott Hollenbeck via Postfix-users:
> > Sorry, I should note that this is for postfix 3.6.4.
> >
> 
> postconf -H | grep -E 'high|medium'
> 
>       Wietse
> >
> > > -----Original Message-----
> > > From: Scott Hollenbeck via Postfix-users <postfix-users@postfix.org>
> > > Sent: Wednesday, February 28, 2024 8:55 AM
> > > To: postfix-users@postfix.org
> > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
> > Ciphers
> > >
> > > Would someone please describe the configuration settings needed to
> support
> > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in
my
> > > configuration files:
> > >
> > > main.cf:
> > >
> > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> > > smtpd_tls_security_level = may
> > > smtpd_tls_mandatory_ciphers = high
> > > smtpd_tls_protocols = >=TLSv1.2
> > > smtpd_tls_mandatory_protocols = >=TLSv1.2
> > > smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> > >
> > > master.cf:
> > >
> > > submission inet n       -       n       -       -       smtpd
> > >   -o syslog_name=postfix/submission
> > >   -o smtpd_tls_security_level=encrypt
> > >   -o smtpd_sasl_auth_enable=yes
> > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > >
> > > Here's what I see when I use nmap to retrieve the supported ciphers
(note
> > > that there are only TLS 1.2 ciphers listed, and some are weak):
> > >
> > > $ nmap-ciphers 587 mysite.com
> > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> > > Nmap scan report for mysite.com (173.255.237.114)
> > > Host is up (0.00017s latency).
> > > Other addresses for mysite.com (not scanned):
> > > 2600:3c03::f03c:91ff:fe70:dbb
> > > rDNS record for 173.255.237.114: mysite.net
> > >
> > > PORT    STATE SERVICE
> > > 587/tcp open  submission
> > > | ssl-enum-ciphers:
> > > |   TLSv1.2:
> > > |     ciphers:
> > > |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> > > |       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> > > |       TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> > > |       TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> > > |       TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> > > |       TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> > > |       TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> > > |       TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> > > |       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> > > |       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> > > |       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> > > |       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> > > |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> > > |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1)
> - A
> > > |       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> > > |       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> > > |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> > > |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> > > |       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
> > > |       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
> > > |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> > > |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
> > > |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> > > |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
> > > |     compressors:
> > > |       NULL
> > > |     cipher preference: client
> > > |_  least strength: F
> > >
> > > Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
> > > $
> > >
> > > Thanks for your guidance,
> > > Scott
> > >
> > > _______________________________________________
> > > Postfix-users mailing list -- postfix-users@postfix.org
> > > To unsubscribe send an email to postfix-users-le...@postfix.org
> >
> > _______________________________________________
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> >
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to