On Thu, Nov 07, 2013 at 11:31:03PM +0100, li...@rhsoft.net wrote:
> http://www.postfix.org/TLS_README.html#server_tls
>
> Am I overlooking something or is it not possible to list explicit
> offered ciphers and their order like dovecot/httpd for smtpd?
Postfix provides a more natural user interface in terms of cipher
grades (null, export, low, medium, high). These have sensibly easy
to reason about security properties.
I've seen many subtle and not so-subtle errors when mere mortals
(including myself) have tried to use the raw OpenSSL cipherlist
syntax. Making that be the Postfix interface would be a disservice
to Postfix users.
> I am speaking here about non-MX servers only for submission
> what I most appreciate in this way of configuration is
> openssl ciphers -v '{cipherlist}' to verify it
$ postfix_ciphers() {
grade="$1"
openssl ciphers -v "$(postconf -xh tls_${grade}_cipherlist)"
}
$ postfix_ciphers null
ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1
ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1
NULL-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None Mac=SHA256
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
...
The above requires a Postfix recent enough to support "postconf
-x", otherwise, drop the "x" and it'll probably still work, provided
there are no ${variable} macros in your main.cf overrides of these
parameters.
If you MUST muck around with raw OpenSSL cipherlists, the underlying
tls_<grade>_cipherlist
parameters are present and documented, along with appropriate
warnings to not go there.
Note that Postfix will still apply implicit and configured exclusions
to these based on context (!aNULL when verifying peer certificates).
--
Viktor.
