[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote: > > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; > > > > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers, > > which are fine to use. > > From the OpenSSL man page: > ---snip--- > aNULL > The cipher suites offering no authentication. This is currently the > anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites > are vulnerable to "man in the middle" attacks and so their use is > discouraged. These are excluded from the DEFAULT ciphers, but included in > the ALL ciphers. Be careful when building cipherlists out of lower-level > primitives such as kDHE or AES as these do overlap with the aNULL ciphers. > When in doubt, include !aNULL in your cipherlist. > ---snip--- That OpenSSL manpage is not aimed at opportunistic TLS, so is a poor fit for SMTP STARTTLS. The Postfix TLS_README and postconf(5) manpage are more fit for purpose. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Viktor Dukhovni via Postfix-users wrote in : |On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: | |> i still use the |> |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 | |I don't recommend cargo-culting random cipher lists. Well i think he carefully selected that; i must admit i have blindly said that, somewhen on this list i posted "the same" thing and by then i still knew what was his and what i added or changed. |> smtpd_tls_mandatory_ciphers = high |> smtpd_tls_mandatory_exclude_ciphers = TLSv1 | |In pratice, this boils down to | |ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) \ | Mac=SHA1 |ECDHE-RSA-AES256-SHATLSv1 Kx=ECDH Au=RSA Enc=AES(256) \ | Mac=SHA1 |ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) \ | Mac=SHA1 |ECDHE-RSA-AES128-SHATLSv1 Kx=ECDH Au=RSA Enc=AES(128) \ | Mac=SHA1 | |Which should all be fine (better than cleartext) for email. You are the specialist who can even write RFCs on this topic, dear Viktor Dukhovni. Ie TLS. And regarding cryptographics aka its maths i have zero competence. In reality, and myself, that is. If you say the above TLSv1 things are ok, so it may be, but i would hope my above config boils down to the below, because otherwise i would even have misunderstood postconf(5). $ openssl ciphers -v EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20:!TLSv1 TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-PSK-CHACHA20-POLY1305TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD I also admit i do not understand your "compaigning for anon ciphers for SMTP". I think the TLS system should move away from CA pools, to some DNS based thing. Your DANE is standardized and you hear the word often, i am currently enthusiastic on how pragmatic DKIM solved its problems, and that includes the DNS record holding the certificate (aka public key, here). I would have no problem (except for the sheer record size, but of course, like DANE, a simple fingerprint could also be published, this is sufficient!) with a simple TLSXXX record, as long as DNS can now be used over secure transport itself, and DNSSEC is also simple and simply available. 'Still hoping for my provider to add it, now. For S/MIME it would have to provide the complete key, however. Ie, very simple and pragmatic, with decades old OpenSSL functions to simply load PEM key data in, and you are ready to go. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Am 2024-02-29 13:46, schrieb Viktor Dukhovni via Postfix-users: On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > What do you consider weak? All of the anonymous Diffie-Hellman suites with an "F" score. How can eliminate the following: Who's assigning the "F" scores? Nmap is telling this about the scores: ---snip--- Each ciphersuite is shown with a letter grade (A through F) indicating the strength of the connection. The grade is based on the cryptographic strength of the key exchange and of the stream cipher. The message integrity (hash) algorithm choice is not a factor. The output line beginning with Least strength shows the strength of the weakest cipher offered. The scoring is based on the Qualys SSL Labs SSL Server Rating Guide, but does not take protocol support (TLS version) into account, which makes up 30% of the SSL Labs rating. ---snip--- The corresponding Qualys reference is: https://www.ssllabs.com/projects/rating-guide/ Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Am 2024-02-29 10:27, schrieb Viktor Dukhovni via Postfix-users: On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: # grep tls main.cf | grep -vE '^#' smtp_tls_security_level = encrypt smtpd_tls_ask_ccert = yes smtpd_tls_CApath = $smtp_tls_CApath Not generally applicable. I agree. Therefore my comment to not take it blindly. What is good for the partiuclar server where I took this from, may not be suitable for everyone. smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtp_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 Obsolete syntax. This config has history... tls_random_source = dev:/dev/urandom smtpd_tls_eecdh_grade = auto Best defaulted. smtp_tls_CApath = /etc/ssl/certs Pointless except when the security level is "secure" (or "verify"). You deleted the smtp_tls_policy_maps setting where this may or may not make sense for users... tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers, which are fine to use. From the OpenSSL man page: ---snip--- aNULL The cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to "man in the middle" attacks and so their use is discouraged. These are excluded from the DEFAULT ciphers, but included in the ALL ciphers. Be careful when building cipherlists out of lower-level primitives such as kDHE or AES as these do overlap with the aNULL ciphers. When in doubt, include !aNULL in your cipherlist. ---snip--- As I said, this should not be taken blindly. Best is to adapt it to the local security guidelines. Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: > i still use the > > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 I don't recommend cargo-culting random cipher lists. > smtpd_tls_mandatory_ciphers = high > smtpd_tls_mandatory_exclude_ciphers = TLSv1 In pratice, this boils down to ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHATLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-SHATLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 Which should all be fine (better than cleartext) for email. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
postfix-users@postfix.org wrote in : |On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: | |> Sorry, context is important. This server needs to pass a Payment Card |> Industry (PCI) compliance scan. Their definition of weak: "key lengths of |> less than 112 bits, or else use the 3DES encryption suite". Opportunistic |> TLS is NOT a goal. i still use the # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = TLSv1 that the developer of my lighttpd server has introduced for HTTP, and i do not feel i have a fallout. I have just looked and i do not see a single SSL_accept error or "no shared cipher" or what message at all in my logs. (But note they rotate over after about 48 hours, and the ones mailed to me i drop at a glance.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > Sorry, context is important. This server needs to pass a Payment Card > Industry (PCI) compliance scan. Their definition of weak: "key lengths of > less than 112 bits, or else use the 3DES encryption suite". Opportunistic > TLS is NOT a goal. Many of The anon-DH ciphers are quite strong by that metric, they use AES-128 or AES-256. > > What do you consider weak? > > All of the anonymous Diffie-Hellman suites with an "F" score. How can > eliminate the following: Who's assigning the "F" scores? Do they in fact line up with the PCI requirements? As explained in: https://www.postfix.org/TLS_README.html#client_tls_limits https://datatracker.ietf.org/doc/html/rfc7672#section-8.2 there is nothing wrong with leaving anon-DH ciphers enabled on servers. They can however be disabled to comply to with clueless auditors by setting: smtpd_tls_exclude_ciphers = aNULL or (if applicable only with mandatory TLS): smtpd_tls_mandatory_exclude_ciphers = aNULL -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
> -Original Message- > From: Viktor Dukhovni via Postfix-users > Sent: Wednesday, February 28, 2024 8:46 PM > To: postfix-users@postfix.org > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix- > users wrote: > > > Would someone please describe the configuration settings needed to > support > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > > configuration files: > > This is not the right question. Some "weak" ciphers are appropriate in > opportunistic TLS, because they are better than cleartext. This applies > when they are still the best available to a non-negligible set of peers. Sorry, context is important. This server needs to pass a Payment Card Industry (PCI) compliance scan. Their definition of weak: "key lengths of less than 112 bits, or else use the 3DES encryption suite". Opportunistic TLS is NOT a goal. > - Provided your system prefers stronger ciphers, and the offered > "weak" ciphers don't put the integrrity of the handshake at > risk, weak ciphers are fine, provided strong ones are preferred. > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > This is not needed. Consider setting "tls_preempt_cipherlist = yes". OK. > > Here's what I see when I use nmap to retrieve the supported ciphers (note > > that there are only TLS 1.2 ciphers listed, and some are weak): > > What do you consider weak? All of the anonymous Diffie-Hellman suites with an "F" score. How can eliminate the following: > > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F > > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F And keep these? > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A > > | TLS_RSA_WITH_
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: > # grep tls main.cf | grep -vE '^#' > smtp_tls_security_level = encrypt > smtpd_tls_ask_ccert = yes > smtpd_tls_CApath = $smtp_tls_CApath Not generally applicable. > smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 > smtp_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 > smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 > smtpd_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 Obsolete syntax. > tls_random_source = dev:/dev/urandom > smtpd_tls_eecdh_grade = auto Best defaulted. > smtp_tls_CApath = /etc/ssl/certs Pointless except when the security level is "secure" (or "verify"). > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers, which are fine to use. > tls_preempt_cipherlist = yes This is actually a reasonable setting for a change. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Am 2024-02-28 14:55, schrieb Scott Hollenbeck via Postfix-users: Would someone please describe the configuration settings needed to support TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my That depends on your definition of "weak". configuration files: main.cf: smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem smtpd_tls_security_level = may smtpd_tls_mandatory_ciphers = high smtpd_tls_protocols = >=TLSv1.2 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem Don't take the following as-is. Research what each option is doing, your milage may vary. Others may have other opinions. # grep tls main.cf | grep -vE '^#' smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_security_level = encrypt smtp_tls_session_cache_timeout = 3600s smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtp_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 tls_random_source = dev:/dev/urandom smtp_tls_CApath = /etc/ssl/certs smtp_tls_connection_reuse = yes smtpd_tls_chain_files = /usr/local/etc/postfix/ssl/outgoing_key.pem smtp_tls_chain_files = $smtpd_tls_chain_files smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/ssl/dh_2048.pem smtpd_tls_dh512_param_file = /usr/local/etc/postfix/ssl/dh_512.pem smtpd_tls_ask_ccert = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_tls_CApath = $smtp_tls_CApath smtpd_tls_eecdh_grade = auto smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_mandatory_ciphers=high smtp_tls_policy_maps = hash:/usr/local/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION This gives (nmap 7.94): PORT STATE SERVICE VERSION 25/tcp open smtpPostfix smtpd | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | T
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users wrote: > Would someone please describe the configuration settings needed to support > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > configuration files: This is not the right question. Some "weak" ciphers are appropriate in opportunistic TLS, because they are better than cleartext. This applies when they are still the best available to a non-negligible set of peers. - Provided your system prefers stronger ciphers, and the offered "weak" ciphers don't put the integrrity of the handshake at risk, weak ciphers are fine, provided strong ones are preferred. > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem This is not needed. Consider setting "tls_preempt_cipherlist = yes". > Here's what I see when I use nmap to retrieve the supported ciphers (note > that there are only TLS 1.2 ciphers listed, and some are weak): What do you consider weak? > 587/tcp open submission > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A > | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
> -Original Message- > From: Wietse Venema via Postfix-users > Sent: Wednesday, February 28, 2024 3:11 PM > To: Postfix users > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > Scott Hollenbeck via Postfix-users: > > Right, but that page says "You are strongly encouraged not to change this > > setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when > > "smtpd_tls_protocols = >=TLSv1.2". Doesn't that setting include TLS 1.3? > > tls_high_cipherlist and tls_medium_cipherlist primarily list the > ciphers that Postfix should NOT use. It turns out that the scanner I'm using (nmap --script ssl-enum-ciphers) doesn't support TLS 1.3. Postfix may well be configured properly. Scott ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Scott Hollenbeck via Postfix-users: > Right, but that page says "You are strongly encouraged not to change this > setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when > "smtpd_tls_protocols = >=TLSv1.2". Doesn't that setting include TLS 1.3? tls_high_cipherlist and tls_medium_cipherlist primarily list the ciphers that Postfix should NOT use. Wioetse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Right, but that page says "You are strongly encouraged not to change this setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when "smtpd_tls_protocols = >=TLSv1.2". Doesn't that setting include TLS 1.3? Scott > -Original Message- > From: Wietse Venema via Postfix-users > Sent: Wednesday, February 28, 2024 2:38 PM > To: Postfix users > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > Scott Hollenbeck via Postfix-users: > > Thanks, here's the output: > > > > $ postconf -H | grep -E 'high|medium' > > tls_high_cipherlist > > tls_medium_cipherlist > > $ > > > > No, a hint to study the postconf(5) manpage. > https://www.postfix.org/postconf.5.html#tls_high_cipherlist > https://www.postfix.org/postconf.5.html#tls_medium_cipherlist > > Wietse > > > > Scott > > > > > -----Original Message- > > > From: Wietse Venema via Postfix-users > > > Sent: Wednesday, February 28, 2024 2:18 PM > > > To: Postfix users > > > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > > > Ciphers > > > > > > Scott Hollenbeck via Postfix-users: > > > > Sorry, I should note that this is for postfix 3.6.4. > > > > > > > > > > postconf -H | grep -E 'high|medium' > > > > > > Wietse > > > > > > > > > -Original Message- > > > > > From: Scott Hollenbeck via Postfix-users > > > > > Sent: Wednesday, February 28, 2024 8:55 AM > > > > > To: postfix-users@postfix.org > > > > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak > > > > Ciphers > > > > > > > > > > Would someone please describe the configuration settings needed to > > > support > > > > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in > > my > > > > > configuration files: > > > > > > > > > > main.cf: > > > > > > > > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem > > > > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem > > > > > smtpd_tls_security_level = may > > > > > smtpd_tls_mandatory_ciphers = high > > > > > smtpd_tls_protocols = >=TLSv1.2 > > > > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > > > > > smtpd_tls_session_cache_database = > > > btree:${data_directory}/smtpd_scache > > > > > smtp_tls_session_cache_database = > btree:${data_directory}/smtp_scache > > > > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem > > > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > > > > > > > > > master.cf: > > > > > > > > > > submission inet n - n - - smtpd > > > > > -o syslog_name=postfix/submission > > > > > -o smtpd_tls_security_level=encrypt > > > > > -o smtpd_sasl_auth_enable=yes > > > > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > > > > > > > > Here's what I see when I use nmap to retrieve the supported ciphers > > (note > > > > > that there are only TLS 1.2 ciphers listed, and some are weak): > > > > > > > > > > $ nmap-ciphers 587 mysite.com > > > > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST > > > > > Nmap scan report for mysite.com (173.255.237.114) > > > > > Host is up (0.00017s latency). > > > > > Other addresses for mysite.com (not scanned): > > > > > 2600:3c03::f03c:91ff:fe70:dbb > > > > > rDNS record for 173.255.237.114: mysite.net > > > > > > > > > > PORTSTATE SERVICE > > > > > 587/tcp open submission > > > > > | ssl-enum-ciphers: > > > > > | TLSv1.2: > > > > > | ciphers: > > > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > > > > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > > > > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > > > > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > > &
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Scott Hollenbeck via Postfix-users: > Thanks, here's the output: > > $ postconf -H | grep -E 'high|medium' > tls_high_cipherlist > tls_medium_cipherlist > $ > No, a hint to study the postconf(5) manpage. https://www.postfix.org/postconf.5.html#tls_high_cipherlist https://www.postfix.org/postconf.5.html#tls_medium_cipherlist Wietse > > Scott > > > -Original Message- > > From: Wietse Venema via Postfix-users > > Sent: Wednesday, February 28, 2024 2:18 PM > > To: Postfix users > > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > > Ciphers > > > > Scott Hollenbeck via Postfix-users: > > > Sorry, I should note that this is for postfix 3.6.4. > > > > > > > postconf -H | grep -E 'high|medium' > > > > Wietse > > > > > > > -Original Message- > > > > From: Scott Hollenbeck via Postfix-users > > > > Sent: Wednesday, February 28, 2024 8:55 AM > > > > To: postfix-users@postfix.org > > > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak > > > Ciphers > > > > > > > > Would someone please describe the configuration settings needed to > > support > > > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in > my > > > > configuration files: > > > > > > > > main.cf: > > > > > > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem > > > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem > > > > smtpd_tls_security_level = may > > > > smtpd_tls_mandatory_ciphers = high > > > > smtpd_tls_protocols = >=TLSv1.2 > > > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > > > > smtpd_tls_session_cache_database = > > btree:${data_directory}/smtpd_scache > > > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > > > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem > > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > > > > > > > master.cf: > > > > > > > > submission inet n - n - - smtpd > > > > -o syslog_name=postfix/submission > > > > -o smtpd_tls_security_level=encrypt > > > > -o smtpd_sasl_auth_enable=yes > > > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > > > > > > Here's what I see when I use nmap to retrieve the supported ciphers > (note > > > > that there are only TLS 1.2 ciphers listed, and some are weak): > > > > > > > > $ nmap-ciphers 587 mysite.com > > > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST > > > > Nmap scan report for mysite.com (173.255.237.114) > > > > Host is up (0.00017s latency). > > > > Other addresses for mysite.com (not scanned): > > > > 2600:3c03::f03c:91ff:fe70:dbb > > > > rDNS record for 173.255.237.114: mysite.net > > > > > > > > PORTSTATE SERVICE > > > > 587/tcp open submission > > > > | ssl-enum-ciphers: > > > > | TLSv1.2: > > > > | ciphers: > > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > > > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > > &
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Thanks, here's the output: $ postconf -H | grep -E 'high|medium' tls_high_cipherlist tls_medium_cipherlist $ Empty cipher lists? Scott > -Original Message- > From: Wietse Venema via Postfix-users > Sent: Wednesday, February 28, 2024 2:18 PM > To: Postfix users > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > Scott Hollenbeck via Postfix-users: > > Sorry, I should note that this is for postfix 3.6.4. > > > > postconf -H | grep -E 'high|medium' > > Wietse > > > > > -Original Message- > > > From: Scott Hollenbeck via Postfix-users > > > Sent: Wednesday, February 28, 2024 8:55 AM > > > To: postfix-users@postfix.org > > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak > > Ciphers > > > > > > Would someone please describe the configuration settings needed to > support > > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > > > configuration files: > > > > > > main.cf: > > > > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem > > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem > > > smtpd_tls_security_level = may > > > smtpd_tls_mandatory_ciphers = high > > > smtpd_tls_protocols = >=TLSv1.2 > > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > > > smtpd_tls_session_cache_database = > btree:${data_directory}/smtpd_scache > > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > > > > > master.cf: > > > > > > submission inet n - n - - smtpd > > > -o syslog_name=postfix/submission > > > -o smtpd_tls_security_level=encrypt > > > -o smtpd_sasl_auth_enable=yes > > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > > > > Here's what I see when I use nmap to retrieve the supported ciphers (note > > > that there are only TLS 1.2 ciphers listed, and some are weak): > > > > > > $ nmap-ciphers 587 mysite.com > > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST > > > Nmap scan report for mysite.com (173.255.237.114) > > > Host is up (0.00017s latency). > > > Other addresses for mysite.com (not scanned): > > > 2600:3c03::f03c:91ff:fe70:dbb > > > rDNS record for 173.255.237.114: mysite.net > > > > > > PORTSTATE SERVICE > > > 587/tcp open submission > > > | ssl-enum-ciphers: > > > | TLSv1.2: > > > | ciphers: > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > > > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > > > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > > > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > > > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > > > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > > > | TLS_ECDHE_RSA_WITH
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Scott Hollenbeck via Postfix-users: > Sorry, I should note that this is for postfix 3.6.4. > postconf -H | grep -E 'high|medium' Wietse > > > -Original Message- > > From: Scott Hollenbeck via Postfix-users > > Sent: Wednesday, February 28, 2024 8:55 AM > > To: postfix-users@postfix.org > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak > Ciphers > > > > Would someone please describe the configuration settings needed to support > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > > configuration files: > > > > main.cf: > > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem > > smtpd_tls_security_level = may > > smtpd_tls_mandatory_ciphers = high > > smtpd_tls_protocols = >=TLSv1.2 > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > > > master.cf: > > > > submission inet n - n - - smtpd > > -o syslog_name=postfix/submission > > -o smtpd_tls_security_level=encrypt > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > > Here's what I see when I use nmap to retrieve the supported ciphers (note > > that there are only TLS 1.2 ciphers listed, and some are weak): > > > > $ nmap-ciphers 587 mysite.com > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST > > Nmap scan report for mysite.com (173.255.237.114) > > Host is up (0.00017s latency). > > Other addresses for mysite.com (not scanned): > > 2600:3c03::f03c:91ff:fe70:dbb > > rDNS record for 173.255.237.114: mysite.net > > > > PORTSTATE SERVICE > > 587/tcp open submission > > | ssl-enum-ciphers: > > | TLSv1.2: > > | ciphers: > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F > > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_GCM_SH
[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers
Sorry, I should note that this is for postfix 3.6.4. Scott > -Original Message- > From: Scott Hollenbeck via Postfix-users > Sent: Wednesday, February 28, 2024 8:55 AM > To: postfix-users@postfix.org > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers > > Would someone please describe the configuration settings needed to support > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > configuration files: > > main.cf: > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem > smtpd_tls_security_level = may > smtpd_tls_mandatory_ciphers = high > smtpd_tls_protocols = >=TLSv1.2 > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem > > master.cf: > > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > Here's what I see when I use nmap to retrieve the supported ciphers (note > that there are only TLS 1.2 ciphers listed, and some are weak): > > $ nmap-ciphers 587 mysite.com > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST > Nmap scan report for mysite.com (173.255.237.114) > Host is up (0.00017s latency). > Other addresses for mysite.com (not scanned): > 2600:3c03::f03c:91ff:fe70:dbb > rDNS record for 173.255.237.114: mysite.net > > PORTSTATE SERVICE > 587/tcp open submission > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > | TLS_DH_anon_WITH_AES_128_CBC_SHA - F > | TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F > | TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F > | TLS_DH_anon_WITH_AES_256_CBC_SHA - F > | TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F > | TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > | TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F > | TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A > | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_CAMEL