postfix-users@postfix.org wrote in
:
|On Mon, May 08, 2023 at 06:13:25PM -0400, Wietse Venema via Postfix-users \
|wrote:
|> We're thinking of adding a few new settings to the stable Postfix
|> releases that allow Postfix to regain some control over crypto
|> policies that do not necessarily improve matters for SMTP where
|> the main result would be more plaintext communication.
|
|> With stable releases, it would not be approprriate to introduce a
|> boatload of features, but plausible candidates are:
|>
|> tls_config_file = default | none(*) | /path/to/file
|> (*)only OpenSSL 1.1.b and later
|
|Minor correction, the base OpenSSL release that supports configuration
|file overrides is "1.1.1b", rather than "1.1.b".
|
|- The minimum OpenSSL version supported by Postfix 3.6 and later is 1.1.1.
|- The OpenSSL version in which RedHat started introducing strict crypto
| policies is OpenSSL 3.0.
|
|This means that:
|
|- If you're still using OpenSSL 1.0.2 (with Postfix <= 3.5) you
| probably don't need to override the system-wide openssl.cnf file.
| Though it may be possible to use:
|
|import_environment =
|... default value from "postconf -d"...
|OPENSSL_CONF=/some/file
|
| An empty file would be equivalent to "none".
|
|- If you're using OpenSSL 1.1.1 or 1.1.1a, you also probably don't
| need to override the system-wide openssl.cnf file. Same
| work-around as before, or set the application name, and add
| appropriate application settings in the system-wide file.
|
|- If you're using OpenSSL 1.1.1b or later, and in particular 3.0
| or, especially on a RedHat or Fedora system, you may choose to
| override the system-wide configuration file or the application
| name. Then, overly strict cryptographic policy will not result
| in unnecessary downgrades to cleartext in opportunistic TLS.
|
|We'll probably later have to extend support for tweaking additional
|TLS-related settings through the "SSL_CONF" API, though that will have
|the downside that non-expert users may end up cargo culting settings
|that do more harm than good. I'll try to discourage this as much
Lame argument, isn't it. Just more settings, but in a generic way
that could be interchangeable in between servers if only all would
simply and only use that one. (I immediately jumped that train
and also support specific [module] sections, how complicated and
under-documented that in effect is. I liked the idea that you can
have it all in one OpenSSL configuration file, with a default
section and per-program sections.)
But CONF_ is not the same across implementations, and programs
continue to "bake their own bread rolls". (lighttpd now uses it.)
Having said that, terrible how OpenSSL switched that (loading of
a config file) on and off by default, and how they added config
via OPENSSL_INIT_SETTINGS object. Better set
OPENSSL_INIT_NO_LOAD_CONFIG and continue using
CONF_modules_load_file() explicitly (and exclusively) i thought.
Thanks.
Well it was a non-outstanding entry in a multi-thousand line
change log in between 1.1.1 and 3.0.0, so i seem to have missed
that. Thanks again.
|as possible, but the target audience will be those who know what
|they are doing, or are following sound advice.
|
|One goal may be to make some of the crypto hardening conditional on the
|TLS security level, which means different settings for different levels.
|
|Hopefully more on this as 3.9 snapshots evolve.
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
|~~
|..and in spring, hear David Leonard sing..
|
|The black bear, The black bear,
|blithely holds his own holds himself at leisure
|beating it, up and down tossing over his ups and downs with pleasure
|~~
|Farewell, dear collar bear
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org