On Wed, Feb 17, 2021 at 07:04:54PM +0100, Jeff Abrahamson wrote:
> But the man page makes a good argument for setting this to medium.
> I'd originally set smtpd_tls_mandatory_ciphers = high, I've switched
> it to medium.
You can set it back to "high". Perhaps that should even be the new
default in the upcoming Postfix 3.6...
> > Yes, on the submission port, dropping support for TLS < 1.2
> > is much more reasonable, because presumably you can make
> > informed judgements as to what software the authorised users
> > have at their disposal.
>
> I was surprised by the level of disagreement on what best practice is.
There is no substantive disagreement, there's a well known trade-off
between:
A. Righteously sending a signal to the folks in the long tail
of the curve to finally get off their behinds and support modern
TLS specs.
B. Barring substantive downgrade exposure, raising the ceiling
and leaving the floor alone, until such time as the long tail
withers away to effectively nobody. (RFC7435). This improves
security without needlessly forcing laggards to cleartext.
Some laggards don't get the message until some folks take option A,
while the pragmatic and sensible thing is option B. Do you want to
be a hero or a pragmatist?
> Setting these two should guarantee that no incoming connection is
> unencrypted.
>
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
Sorry, no. The first is an obsolete syntax to *enable* TLS, it was
replaced with "smtpd_tls_security_level = may". The second also does
not enforce TLS, but it does cause SASL AUTH to not be offered as option
until and unless a TLS connection is established.
> But which versions? This seems to make sense: require high grade
> ciphers.
See RFC7435. At this point the *only* medium cipher that's still
used by a very few laggards is RC4-SHA1. Otherwise "high" is no
longer an issue. For most sites, even RC4-SHA1 is never seen in
practice. We have now probably reached the point in time where
the long tail for medium has withered away. You can use "high"
or "medium", either is fine.
OpenSSL 1.1.1 by default disables RC4 at compile time, leaving just
SEED, which nobody needs for interoperability.
$ openssl ciphers -s -tls1_2 -v MEDIUM
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
> I had initially set smtpd_tls_exclude_ciphers = RC4, aNULL, but,
> again, I see the man page makes a good argument against that, so I've
> removed the exclusion.
You don't need to and should not exclude aNULL, and "high" already
excludes "RC4", so you're all set in terms of the basic algorithms.
> The default value of smtpd_tls_mandatory_protocols is !SSLv2, !SSLv3.
> The suggestion on this thread was to set it as follows, which was
> certainly better than what I had (an explicit inclusion rather than an
> explicit exclusion). I'm rather tempted, based on the man page, to
> change it to its default value (essentially, >= TLSv1). I'm open to
> argument.
>
> smtpd_tls_mandatory_ciphers = medium
> # smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
The default is still reasonable for opportunistic TLS in SMTP. On
the submission port, you can reasonably require >= TLS 1.2, if all
the authorised clients are expected to be able to do that.
--
Viktor.
