[pfx] Re: tls_high_cipherlist parameter
On 2023-05-01 at 04:45:37 UTC-0400 (Mon, 1 May 2023 10:45:37 +0200) Kolusion K via Postfix-users is rumored to have said: Hello Postfix's documentation for the tls_high_cipherlist parameter states to see the output of the command 'postconf -d' to see the default setting. Sadly, the documentation lacks specificness, and the output spit out about 500 lines, so I am not sure what I am suppose to be looking at. The man page for postconf(8) very clearly and fully explains how to display a single parameter. The man page for postconf(5) explains what tls_high_cipherlist is, and there is also an in-depth README in the Postfix documentation for TLS configuration. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls_high_cipherlist parameter
On Mon, May 01, 2023 at 11:01:56AM +0200, Bernardo Reino via Postfix-users wrote: > > Sadly, the documentation lacks specificness, and the output spit out about > > 500 lines, so I am not sure what I am suppose to be looking at. > > postconf -d will print all the (default) settings, you can use grep to filter > the specific line you're looking for. No need for grep (output for Postfix 3.8): $ postconf -d tls_high_cipherlist tls_high_cipherlist = aNULL:-aNULL:HIGH:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:@STRENGTH or, $ postconf -dhx tls_high_cipherlist aNULL:-aNULL:HIGH:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:@STRENGTH which then makes it possible to, for example, list the ciphers that could be used when TLS 1.2 is negotiated): $ openssl ciphers -v -tls1_2 -s "$(postconf -dhx tls_high_cipherlist)" ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ... However, the advice in the documentation to NOT tinker with the "tls_*_cipherlist" settings should not be taken lightly. A common rookie mistake is to cut/paste a cipherlist recommended in some random HOWTO, and assume that using that particular cipherlist will improve "security". The various HOWTO's that recommend an explicit list of concrete ciphers are all wrong, and their notion of "security" maps poorly onto opportunistic TLS. I repeat: DO NOT tinker with the "tls_*_cipherlist" parameters, they're for emergency use only, in case many years after initial release some new surprise vulnerability makes it necessary to fine-tune the list. If that should some day happen, we'll update the documentation and post a message to the list. For now, let the defaults stand. If some test you run against your server tells you that your server uses insecure cipher settings, and you haven't changed the Postfix defaults, the problem is a misguided test, not incorrect settings. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls_high_cipherlist parameter
On Mon, 1 May 2023, Kolusion K via Postfix-users wrote: Hello Postfix's documentation for the tls_high_cipherlist parameter states to see the output of the command 'postconf -d' to see the default setting. Sadly, the documentation lacks specificness, and the output spit out about 500 lines, so I am not sure what I am suppose to be looking at. postconf -d will print all the (default) settings, you can use grep to filter the specific line you're looking for. I found the parameter mentioned on one of the lines. I was expecting to see a list of ciphers, such as AES-256 ectetera, but I don't see any mention of a type of cipher, so I'm not sure if looking at the line for the tls_high_cipherlist parameter is what I am suppose to be looking at. postfix uses openssl, and if you had read the manual you would have seen something like: * tls_high_cipherlist (default: see "postconf -d" output) The OpenSSL cipherlist for "high" grade ciphers. [...] so you should then look at your openssl configuration (which may or may not be whatever default your distribution is using). $ man 1 ciphers will take you further. Could anyone confirm if that is what I am suppose to be looking at and if I am correct in what I was expecting? Only you can know what you were expecting, and hence what you are supposed to be looking at. Good luck.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org