On 11/11/2016 03:21 AM, li...@lazygranch.com wrote:
So is this level of encryption something openssl sets up? That is where do I
set the parameter?
Original Message
From: Sven Schwedas
Sent: Friday, November 11, 2016 3:15 AM
To: li...@lazygranch.com; postfix-users@postfix.org
Subject: Re: bits of encryption
On 2016-11-11 12:08, li...@lazygranch.com wrote:
That does explain a lot, but why when I "talk to myself" (send myself email)
do I get a lower grade (less bits) of encryption than when another server is
sending mail? Is there some parameter I need to set in postfix?
Which particular algorithm gets chosen is usually up to the TLS client
(which can be another server connecting to yours): At the start of the
connection, client and server tell each other what ciphers they support,
and the client picks one.
There's pros and cons to 128 bit and 256 bit ciphers (128 bit is good
enough and faster; 256 bit has more safety margin against *some* attacks
– but not all), some programs prefer one or the other. You'll have to
look up whether you can tell your particular client software to prefer
256 bit ciphers, if you want to.
Mozilla products often prefer 128-bit AES rather than 256-bit because of
concerns that 256-bit may make certain types of timing attacks easier.
The same may be true of other cipher suites.
With hardware AES the timing argument is probably moot, but I know out
of all my processors, only my xeon has hardware AES - my i3 (now dead)
did not and the i5 and i7 processors in my laptops do not. Mobile
platforms also do not. So the timing paranoia may be real for a lot of
users. Also a lot of servers still use mcrypt which doesn't use hardware
AES even when available, so those servers *may* be safer with AES 128.
But anyway - I don't know that the timing attack argument is really
valid, but that's allegedly why some software prefers AES 128 over AES 256.
It's unlikely AES 128 will be broken anytime soon, but timing attacks
can happen without breaking the actual encryption itself.
Personally I just make sure to configure the server to only offer modern
ciphers without known issues and don't care that much which the client
picks from the whitelist.
For private key RSA 4096 probably shouldn't be used btw, a some clients
can't deal with RSA > 2048 and if you really need stronger than RSA 2048
than an ECDSA certificate is more efficient (but some older clients also
don't work with it)
For mail servers I just use RSA 2048 as it works with just about
everything and won't be cracked until long after the cert has expired
and I've rotated the keys anyway.
But I'm just a guy on the Internet, so feel free to come to your own
conclusions.
