Thus far, 4096 bit encryption hasn't been an issue. When I see email without encryption, it is because their service doesn't offer it. Telus (Canada) being a prime example.
Original Message From: Alice Wonder Sent: Friday, November 11, 2016 11:01 AM To: postfix-users@postfix.org Subject: Re: bits of encryption On 11/11/2016 03:21 AM, li...@lazygranch.com wrote: > So is this level of encryption something openssl sets up? That is where do I > set the parameter? > > Original Message > From: Sven Schwedas > Sent: Friday, November 11, 2016 3:15 AM > To: li...@lazygranch.com; postfix-users@postfix.org > Subject: Re: bits of encryption > > On 2016-11-11 12:08, li...@lazygranch.com wrote: >> That does explain a lot, but why when I "talk to myself" (send myself email) >> do I get a lower grade (less bits) of encryption than when another server is >> sending mail? Is there some parameter I need to set in postfix? > > Which particular algorithm gets chosen is usually up to the TLS client > (which can be another server connecting to yours): At the start of the > connection, client and server tell each other what ciphers they support, > and the client picks one. > > There's pros and cons to 128 bit and 256 bit ciphers (128 bit is good > enough and faster; 256 bit has more safety margin against *some* attacks > – but not all), some programs prefer one or the other. You'll have to > look up whether you can tell your particular client software to prefer > 256 bit ciphers, if you want to. Mozilla products often prefer 128-bit AES rather than 256-bit because of concerns that 256-bit may make certain types of timing attacks easier. The same may be true of other cipher suites. With hardware AES the timing argument is probably moot, but I know out of all my processors, only my xeon has hardware AES - my i3 (now dead) did not and the i5 and i7 processors in my laptops do not. Mobile platforms also do not. So the timing paranoia may be real for a lot of users. Also a lot of servers still use mcrypt which doesn't use hardware AES even when available, so those servers *may* be safer with AES 128. But anyway - I don't know that the timing attack argument is really valid, but that's allegedly why some software prefers AES 128 over AES 256. It's unlikely AES 128 will be broken anytime soon, but timing attacks can happen without breaking the actual encryption itself. Personally I just make sure to configure the server to only offer modern ciphers without known issues and don't care that much which the client picks from the whitelist. For private key RSA 4096 probably shouldn't be used btw, a some clients can't deal with RSA > 2048 and if you really need stronger than RSA 2048 than an ECDSA certificate is more efficient (but some older clients also don't work with it) For mail servers I just use RSA 2048 as it works with just about everything and won't be cracked until long after the cert has expired and I've rotated the keys anyway. But I'm just a guy on the Internet, so feel free to come to your own conclusions.
