On Wed, Aug 19, 2015 at 09:57:37AM -0700, Alice Wonder wrote:
> >>smtpd_tls_exclude_ciphers = RC4, 3DES, IDEA
> >>
> >>I still have to go through.
> >
> >It is not (yet) a good idea to disable RC4 or 3DES on the server
> >side. IDEA is essentially unused, so removing it harmless.
> >Don't (yet) disable RC4 or 3DES, this just makes it harder for
> >some systems to send you email.
>
> I'm not that worried about RC4 or 3DES in smtp to smtp
Perhaps you mean MTA-to-MTA?
> What I'm worried about is a cipher downgrade attack between an e-mail client
> and the server that causes a weaker cipher to be used allowed authentication
> information to potentially be compromised.
>
> That's why I don't want RC4 and if I could do it without impacting port 25
> traffic, go to strict strong ECDHE and maybe DHE ciphers on 587 only, so it
> doesn't impact smtp to smtp where login credential theft isn't an issue.
That's why I suggested:
main.cf:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
which combined with:
master.cf:
submission inet ... smtpd
-o smtpd_tls_security_level=encrypt
avoids weak ciphersuites with MUA to MSA submissions.
If you're one of the few and the brave with an ECDSA server
certificate, and you also solicit client certificates via
"smtpd_tls_ask_ccert=yes", you can add:
smtpd_tls_mandatory_exclude_ciphers = kECDH
to suppress "fixed ECDH" key agreement, which was never a good
idea, and is vulnerable to the exotic recently disclosed KCI attack
(which requires clients to be coaxed into using attacker provided
client certificates).
Don't know which if any MUAs support fixed ECDH handshakes. The
issue is mostly hypothetical.
--
Viktor.
