On Mon, Jan 25, 2021 at 10:38:46PM +0100, Jörg Backschues wrote:
> # TLS
> tls_high_cipherlist =
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Limiting the ciphers to just:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
is a terrible idea, the net effect of this attempt to increase security,
is to reduce security, by forcing all email to peers that don't do ECDHE
to be sent in the clear. Since your mail server is doing *opportunistic*
TLS (<https://tools.ietf.org/html/rfc7435>), it is willing to use the
weakest cipher of all, namely cleartext. Therefore, configuring highly
restrictive cipherlists is just wrong. Keep reading RFC7435 until
you've lost the urge to dial security up to 11.
Real security results from raising the ceiling (offering stronger
options), not the floor (remove everything but the strongest options).
Yes, ultimately one should also *gradually* raise the floor to eliminate
just the truly obsolete features that are no longer used by anyone, but
this needs to be done with care, and mostly just by leaving it to the
underlying libraries (i.e. OpenSSL) to drop support for obsolete cruft.
Postfix has sensible defaults for the low level cipher lists. Resist
the temptation to "improve" them.
--
Viktor.
