On Fri, Apr 11, 2014 at 10:32:17PM +0100, Sean Wilson wrote:
> http://postfix.1071664.n5.nabble.com/Postfix-and-TLS-1-2-td66859.html
> I am battling to understand why my Postfix server doesn't always
> use a TLS 1.2 connection with clients that support it. I currently
> have the latest version of Postfix installed on FreeBSD 10-STABLE
> and I have OpenSSL version 1.0.1g 7 Apr 2014 installed. This is
> what happens: When I send an email to someone that uses high grade
> encryption the log looks as follows:
>
> postfix/smtp[2554]: Trusted TLS connection established to
> mx.domain.com[xxx.xxx.196.175]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> All looks good...TLS 1.2 is used and the GCM cipher is used. That's
> fine mx.domain.com chooses the most preferred cipher offered by
> the TLS client, i.e. your Postfix SMTP server.
>
> When I receive an email from the same client:
>
> postfix/smtpd[84316]: Anonymous TLS connection established from
> mx.domain.com[xxx.xxx.196.175]:
> TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256)
As an SMTP/TLS client, possibly for interoperability reasons, this
particular MTA chooses to suppress TLSv1.2.
> So why is only TLS 1.1 being used?
Ask the postmaster of the MTA in question, perhaps they some problems
with remote MTAs choking on TLSv1.2 and decided to apply hammer to
problem.
> Also, why isn't the GCM cipher used, isn't this more secure?
Perhaps, but not by much, and perhaps it is a TLA plot, GCM is
quite fragile in the face of implementation errors and RNG problems.
Many think that GCM is not a good choice for software implementations
of AEAD ciphers.
> Do I need to tweak the cipher order to use more secure ciphers and TLS
> 1.2?
No. AES-256-CBC is quite secure enough, the weakest link in protecting
your email is probably elsewhere and much weaker than AES-256-CBC.
> main.cf contains:
>
> smtpd_tls_ask_ccert = yes
Why?
> tls_preempt_cipherlist = yes
Not recommended.
> smtpd_tls_mandatory_ciphers = high
Fine if all your submission clients are suitable capable.
> smtpd_tls_ciphers = export
Default, but we may at some point change this to "medium", so
you should probably not set this explicitly.
> smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
> smtp_tls_ciphers = $smtpd_tls_ciphers
> lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
> lmtp_tls_ciphers = $smtpd_tls_ciphers
Better define some new parameter:
site_mandatory_ciphers = high
site_ciphers = medium
and define the various parameters using those, rather than alias
smtp/lmtp values to smtpd values (which won't work if you ever
revert the smtpd values to defaults).
--
Viktor.
