On Fri, Sep 24, 2021 at 07:05:00PM -0400, Alex wrote: > I recently ran testssl.sh (https://github.com/drwetter/testssl.sh) on > my mail server, and it's still showing TLS 1 and 1.1 still being > offered, as well as DES:
You should generally ignore most issues misreported by SSL/TLS testing sites that are not properly instrumented for opportunistic TLS, where some security is better than none, and we get security by raising the ceiling rather than the floor. A sufficiently recent Postfix release will give you acceptably secure defaults, that you largely don't need to tune, unless you overstay on a "long-term support" Postfix release well past its prime. > TLS 1 offered (deprecated) > TLS 1.1 offered (deprecated) These are fine to continue to offer, they pose no known issues for SMTP, especially on port 25, but the number of sending systems that need this crutch is quite low and falling. Examine some months to a year worth of logs to see whether any senders you care about are still using TLS prior to 1.2. If not, then you might set (all four verbatim): smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 there's a cleaner preferred syntax for newer versions of Postfix, set smtpd_tls_protocols = >=TLSv1.2 if your Postfix version Is 3.6.0 or later. > Testing cipher categories > Anonymous NULL Ciphers (no authentication) not offered (OK) Postfix typically offers aNULL ciphers on port 25, and turning them off is silly (except to shut up misguided TLS test sites). Perhaps you did that already, but it is not the default or necessary. > LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok) This may indicate a rather old Postfix version, or outdated non-default settings. All supported versions of Postfix have a default of: smtpd_tls_ciphers = medium Which rules out "LOW" ciphers, but not "RC4", so perhaps that's the reason for that item. While RC4 is deprecated, its use for opportunistic TLS in SMTP causes no known issues. Again if you find no use of RC4 from senders you care about in your logs, you can exclude "RC4" via: smtpd_tls_exclude_ciphers = MD5, RC4 > Triple DES Ciphers / IDEA offered The "3DES" and "IDEA" ciphers are basically the same class as RC4, check your logs. You can, if you wish, set: smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED > Obsoleted CBC ciphers (AES, ARIA etc.) offered There's no need to disable CBC, it is only an issue in browsers. Indeed CBC can be much safer that GCM in the face of a poorly seeded PRNG. > Testing server's cipher preferences > Has server cipher order? no (NOT ok) You can in most cases set (I'm inclined to make that the default soon, SMTP clients that have issues with this should be gone by now). tls_preempt_cipherlist = yes but SMTP TLS security is basically up to the client, if it makes weak choices, there's little the server can do to protect it. > What are the proper crypto settings for the safest configuration? Wrong question. The right question is: * What are the sensibly interoperable TLS settings, that don't set a low ceiling, allowing clients to negotiate the strongest available common ciphers, and only disable ciphers that are no longer in use or cause known issues in SMTP TLS. > smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 (Not sure why you listed smtpd twice) For mandatory TLS, you can add (both of): !TLSv1, !TLSv1.1 > smtpd_tls_protocols=!SSLv2,!SSLv3 > smtp_tls_protocols=!SSLv2,!SSLv3 Ditto, but based on log analysis. > smtp_tls_exclude_ciphers = 3DES Here, you can add: MD5, RC4, SEED, IDEA Again subject to log analysis in the case of RC4. > tls_ssl_options = NO_COMPRESSION For Postfix >= 3.4 consider adding: NO_RENEGOTIATION > tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA This is a bad idea. Don't do this. Use the default value. > smtp_tls_note_starttls_offer = yes Harmless, but pointless. > smtpd_tls_ask_ccert = yes Not needed on port 25, and not a good idea. > smtpd_tls_req_ccert = no Default, just leave out. > smtpd_tls_session_cache_database = > btree:/var/lib/postfix/smtpd_tls_session_cache Just use session tickets, not needed. -- Viktor.