On Fri, Sep 24, 2021 at 07:05:00PM -0400, Alex wrote:

> I recently ran testssl.sh (https://github.com/drwetter/testssl.sh) on
> my mail server, and it's still showing TLS 1 and 1.1 still being
> offered, as well as DES:

You should generally ignore most issues misreported by SSL/TLS testing
sites that are not properly instrumented for opportunistic TLS, where
some security is better than none, and we get security by raising the
ceiling rather than the floor.

A sufficiently recent Postfix release will give you acceptably secure
defaults, that you largely don't need to tune, unless you overstay on a
"long-term support" Postfix release well past its prime.

>  TLS 1      offered (deprecated)
>  TLS 1.1    offered (deprecated)

These are fine to continue to offer, they pose no known issues for SMTP,
especially on port 25, but the number of sending systems that need this
crutch is quite low and falling.  Examine some months to a year worth
of logs to see whether any senders you care about are still using TLS
prior to 1.2.  If not, then you might set (all four verbatim):

    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

there's a cleaner preferred syntax for newer versions of Postfix, set

    smtpd_tls_protocols = >=TLSv1.2

if your Postfix version Is 3.6.0 or later.

>  Testing cipher categories
>  Anonymous NULL Ciphers (no authentication)        not offered (OK)

Postfix typically offers aNULL ciphers on port 25, and turning them off
is silly (except to shut up misguided TLS test sites).  Perhaps you did
that already, but it is not the default or necessary.

>  LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      offered (NOT ok)

This may indicate a rather old Postfix version, or outdated non-default
settings.  All supported versions of Postfix have a default of:

    smtpd_tls_ciphers = medium

Which rules out "LOW" ciphers, but not "RC4", so perhaps that's the
reason for that item.  While RC4 is deprecated, its use for
opportunistic TLS in SMTP causes no known issues.  Again if you
find no use of RC4 from senders you care about in your logs, you
can exclude "RC4" via:

    smtpd_tls_exclude_ciphers = MD5, RC4

>  Triple DES Ciphers / IDEA                         offered

The "3DES" and "IDEA" ciphers are basically the same class as RC4, check
your logs.  You can, if you wish, set:

    smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED

>  Obsoleted CBC ciphers (AES, ARIA etc.)            offered

There's no need to disable CBC, it is only an issue in browsers.  Indeed
CBC can be much safer that GCM in the face of a poorly seeded PRNG.

>  Testing server's cipher preferences
>  Has server cipher order?     no (NOT ok)

You can in most cases set (I'm inclined to make that the default
soon, SMTP clients that have issues with this should be gone by
now).

    tls_preempt_cipherlist = yes

but SMTP TLS security is basically up to the client, if it makes weak
choices, there's little the server can do to protect it.

> What are the proper crypto settings for the safest configuration?

Wrong question.  The right question is:

    * What are the sensibly interoperable TLS settings, that don't
      set a low ceiling, allowing clients to negotiate the strongest
      available common ciphers, and only disable ciphers that are
      no longer in use or cause known issues in SMTP TLS.

> smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

(Not sure why you listed smtpd twice)
For mandatory TLS, you can add (both of): !TLSv1, !TLSv1.1

> smtpd_tls_protocols=!SSLv2,!SSLv3
> smtp_tls_protocols=!SSLv2,!SSLv3

Ditto, but based on log analysis.

> smtp_tls_exclude_ciphers = 3DES

Here, you can add: MD5, RC4, SEED, IDEA
Again subject to log analysis in the case of RC4.

> tls_ssl_options = NO_COMPRESSION

For Postfix >= 3.4 consider adding: NO_RENEGOTIATION

> tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

This is a bad idea.  Don't do this.  Use the default value.

> smtp_tls_note_starttls_offer = yes

Harmless, but pointless.

> smtpd_tls_ask_ccert = yes

Not needed on port 25, and not a good idea.

> smtpd_tls_req_ccert = no

Default, just leave out.

> smtpd_tls_session_cache_database = 
> btree:/var/lib/postfix/smtpd_tls_session_cache

Just use session tickets, not needed.

-- 
    Viktor.

Reply via email to