Revisiting Issue #359 - Allow OpenSSL options to be specified
Copying my comment on this ticket[1] to the list for discussion --- I would like to re-open discussion on this issue for a different use case: In light of more vulnerabilities discovered in the TLSv1.0 protocol since Dec 2013, I no longer feel it provides acceptable security and would like a configuration option to disable support for it. Going even further, I would also like to be able to disable TLSv1.1, and force all incoming connections to use TLSv1.2. Seeing as how this does not downgrade security, but rather upgrades it, I think it merits consideration. Syntax could be something like dovecot's 10-ssl.conf option tls_protocols = !TLSv1 !TLSv1.1 Also, lets purge all references to the Netscape product from 1996...'ssl' and replace them with the IETF standard name, 'tls' --- [1] https://github.com/OpenSMTPD/OpenSMTPD/issues/359 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Revisiting Issue #359 - Allow OpenSSL options to be specified
On Mon, 27 Jul 2015 12:53:19 -0700, Török Edwin ed...@etorok.net wrote: Would this be for incoming or outgoing connections? It's the incoming that I'm primarily concerned with, but that's a good point to raise. Should the setting effect both directions or be applied independently? For incoming connections this would downgrade security, if remote server uses TLSv1.1 and fails to make a connection to OpenSMTPD (because it requires TLSv1.2) then it'll fall back to plaintext which is worse than a hard to exploit vulnerability in TLS. This argument assumes that incoming plaintext connections are accepted, which I am completely aware is the default. I've been forcing inbound TLS via the tls-require option for over a year now with no complaints. For outgoing connections you could require tls always, but I'm not sure thats realistic yet if you actually want to deliver mail, and if you're not careful it might cause plaintext fallbacks. Just looking at my personal mail server I have roughly: smtp-in: TLSv1/SSLv3 (TLSv1.2) 63% TLSv1/SSLv3 (SSLv3) 24% TLSv1/SSLv3 () 7% plaintext (proto=SMTP) 6% If I reject SSLv3, TLSv1 and 1.1 I'd have: TLSv1.2 63% plaintext 37% The SSLv3 seems to come from public mailing list servers. smtp-out: TLSv1/SSLv3 (TLSv1.2) 96% TLSv1/SSLv3 () 4% I wouldn't be opposed to deprecating SSLv3, but what is the right way to do that without breaking mail deliverability or causing plaintext fallbacks? Perhaps you could accept the connection and reject immediately with an SMTP error code and a message describing the problem? Basically, I want to force TLSv1.2 in both directions, plaintext is always verboten, and if the other party doesn't support it, that's their problem, I'm prepared to do without. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: SSL/TLS
On Mon, 27 Jul 2015 19:40:39 -0700, SSL tuy...@aoiyuma.mydns.jp wrote: i am afraid of being attacked . so i want to limit PCs in japan only (if japanese PC is hacked , this setting in not safe ) . It would probably be more appropriate and effective to use a firewall such as OpenBSD's pf to accomplish this goal. OpenBSD also provides spamd which, along with a few selected real time black lists added to the mix, makes a very effective spam filter. but i want to use conection secrity SSL/TLS . how to do it ? The smptd.conf(5) man page documents key generation in the EXAMPLES section near the end. In this second example, the aim is to permit mail relaying for any user that can authenticate using their normal login credentials. An RSA certificate must be provided to prove the server's identity. The mail server listens on all interfaces the default route(s) point to. Mail with a local destination should be sent to an external mda. First, the RSA certificate is created: # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096 # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \ -out /etc/ssl/mail.example.com.crt -days 365 # chmod 600 /etc/ssl/mail.example.com.crt # chmod 600 /etc/ssl/private/mail.example.com.key -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org