On Sat, Mar 23, 2024 at 12:45:04PM +0100, Matthias Nagel via Postfix-users
wrote:
> what is the rationale behind the deprecation of the setting
> `smtpd_tls_cipherlist`? Are there any plans to remove it entirely in
> some future versions?
Superseded by smtpd_tls_cipher_grade and tls_medium_cipherlist,
tls_high_cipherlist.
> I am looking for an option to explicitly set the list of allowed
> cipher suites.
In other words, you want to reduce the effective security of your server
in order to comply with a poorly suited to SMTP external security metric.
You have my sympathy, but if you're at all at liberty to hold your
ground, do so, and let the defaults stand.
> The deprecated setting `smtpd_tls_cipherlist` allowed
> that. The new setting `smtpd_tls_mandatory_ciphers` only supports to
> enable a selection of cipher suites by defining a lower limit on the
> cryptographic strength (i.e. „low“, „medium“, „high“, ...) and it
> seems I can additionally use `smtpd_tls_exclude_ciphers` to remove
> certain unwanted cipher suites subsequently. For me, that feels a
> little bit cumbersome. Why not provide both ways? Or did I miss
> something?
Almost every attempt at explicit ciphers I've seen has been misguided.
Instead of specifying broad categories, these choose specific individual
code points, eliminating possible future additions that are stronger,
and excluding ciphers that are useful for interoperability.
It really is best to focus on actual security issues, rather than
exotic, if sexy, hypothetical cryptographic attacks.
- Install security patches in a timely manner
- Audit trusted SSH keys, ...
- DNSSEC-sign your domain, and monitor it well, checking for
unexpectedly soon expiration of at least the core zone apex, if not
all RRsets.
- Publish DANE TLSA records, and implement outbound DANE. Monitor
the correctness of your TLSA records, and make sure the rollover
process cannot result in deploying a new cert before the matching
TLSA records have already been published for a few TTLs.
Focus on the basics, tuning cryptographic parameters is a distraction.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
