Postfix › Postfix Users

ECDSA and RSA: setting preference

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

20 messages Options

Zbyszek Żółkiewski

ECDSA and RSA: setting preference

Hi all,

Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails.
To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…).
Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…

thanks,

_
Zbyszek Żółkiewski

Zbyszek Żółkiewski

Re: ECDSA and RSA: setting preference

I think i found solution to this, by modifying default high list to:

tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk?

thanks,

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33:
>
> Hi all,
>
> Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails.
> To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…).
> Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…
>
> thanks,
>
> _
> Zbyszek Żółkiewski
>

Philip Paeps

Re: ECDSA and RSA: setting preference

On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:

> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33:
>>Question: postfix 2.11: I have configured both RSA and ECDSA support
>>on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and
>>support for ECDSA works great - however ECDSA is _never_ selected as
>>cipher for sending or receiving mails.
>>To check if it is properly configured i have disabled RSA support and
>>running server only with ECDSA and i confirm it works with gmail
>>servers for example (cipher ECDHE-ECDSA…).
>>Is there any way i can force postfix to first try ECDHE-ECDSA… and
>>then fallback to RSA? Note, i have tried custom tls_high_cipherlist
>>but no luck…
>
>I think i found solution to this, by modifying default high list to:
>
>tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>
>server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk?

This poses an interoperability risk. You should carefully check your
maillogs for the ciphers you're excluding with this.

Try something like:

egrep "TLS connection established from.*with cipher" \
/var/log/maillog* | awk \
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
sort | uniq -c | sort -n

This will give you a list of ciphers negotiated by occurence.

I would not recommend fiddling with the default TLS cipherlists unless
you have a very specific need.

Note that many senders will fall back to plain SMTP if they can't
negotiate TLS with you. I feel a little security is better than no
security at all.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Zbyszek Żółkiewski

Re: ECDSA and RSA: setting preference

thanks for the comment. But please not that i am using defaults postfix „high” settings - my only change is to force ECDSA at the beginning of the cipher list.

Full list from openssl is:

ciphers 'ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH’

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-ECDSA-NULL-SHA

adding ECDSA causes to change order only to the defaults. This could be also some kind of feature requests to postfix maintainers - to have option to sort (not change) cipher list.

Side note: it’s weird having @STRENGTH while it do not actually sort ciphers…. (not sure that is bug in openssl or what…)

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 15:50:
>
> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:
>> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33:
>>> Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails.
>>> To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…).
>>> Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…
>>
>> I think i found solution to this, by modifying default high list to:
>>
>> tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>>
>> server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk?
>
> This poses an interoperability risk. You should carefully check your maillogs for the ciphers you're excluding with this.
>
> Try something like:
>
> egrep "TLS connection established from.*with cipher" \
> /var/log/maillog* | awk \
> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
> sort | uniq -c | sort -n
>
> This will give you a list of ciphers negotiated by occurence.
>
> I would not recommend fiddling with the default TLS cipherlists unless you have a very specific need.
>
> Note that many senders will fall back to plain SMTP if they can't negotiate TLS with you. I feel a little security is better than no security at all.
>
> Philip
>
> --
> Philip Paeps
> Senior Reality Engineer
> Ministry of Information

Philip Paeps

Re: ECDSA and RSA: setting preference

On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:

>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 15:50:
>> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:
>>> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33:
>>>>Question: postfix 2.11: I have configured both RSA and ECDSA support
>>>>on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and
>>>>support for ECDSA works great - however ECDSA is _never_ selected as
>>>>cipher for sending or receiving mails.
>>>>To check if it is properly configured i have disabled RSA support
>>>>and running server only with ECDSA and i confirm it works with gmail
>>>>servers for example (cipher ECDHE-ECDSA…).
>>>>Is there any way i can force postfix to first try ECDHE-ECDSA… and
>>>>then fallback to RSA? Note, i have tried custom tls_high_cipherlist
>>>>but no luck…
>>>
>>>I think i found solution to this, by modifying default high list to:
>>>
>>> tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>>>
>>>server now prefers ECDSA over RSA. Can someone cross-check if that is
>>>correct solution for a problem and not pose any risk?
>>
>>This poses an interoperability risk. You should carefully check your
>>maillogs for the ciphers you're excluding with this.
>>
>>Try something like:
>>
>> egrep "TLS connection established from.*with cipher" \
>> /var/log/maillog* | awk \
>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
>> sort | uniq -c | sort -n
>>
>>This will give you a list of ciphers negotiated by occurence.
>>
>>I would not recommend fiddling with the default TLS cipherlists unless
>>you have a very specific need.
>>
>>Note that many senders will fall back to plain SMTP if they can't
>>negotiate TLS with you. I feel a little security is better than no
>>security at all.
>
>thanks for the comment. But please not that i am using defaults postfix
>„high” settings - my only change is to force ECDSA at the beginning of
>the cipher list.

Sorry. I missed that you were on Postfix 2.11. I looked at ``postconf
-d tls_high_cipherlist`` on my Postfix 3.1.4 installation and it does
not list !MEDIUM or +RC4.

>adding ECDSA causes to change order only to the defaults. This could be
>also some kind of feature requests to postfix maintainers - to have
>option to sort (not change) cipher list.

You can achieve that using ``tls_{high,medium,low}_cipherlist`` together
with ``tls_preempt_cipherlist = yes``. I don't really think Postfix is
the correct place to sort ciphers by preference. That's something to do
in OpenSSL.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

@lbutlr

Re: ECDSA and RSA: setting preference

In reply to this post by Philip Paeps

On 2017-04-13 (07:50 MDT), Philip Paeps <[hidden email]> wrote:
>
> egrep "TLS connection established from.*with cipher" \
> /var/log/maillog* | awk \
> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
> sort | uniq -c | sort -n

Interesting. Ran this over a few days of logs:

5288 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
4633 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
2343 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
1527 TLSv1 with cipher ECDHE-RSA-AES128-SHA
1250 TLSv1.2 with cipher AECDH-AES256-SHA

Everything else is under 500, and the next 2 are the top 2 TLSv1.2 without GCM.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Phil Stracchino

Re: ECDSA and RSA: setting preference

On 04/13/17 10:16, @lbutlr wrote:

> On 2017-04-13 (07:50 MDT), Philip Paeps <[hidden email]> wrote:
>>
>> egrep "TLS connection established from.*with cipher" \
>> /var/log/maillog* | awk \
>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
>> sort | uniq -c | sort -n
>
> Interesting. Ran this over a few days of logs:
>
> 5288 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
> 4633 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
> 2343 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
> 1527 TLSv1 with cipher ECDHE-RSA-AES128-SHA
> 1250 TLSv1.2 with cipher AECDH-AES256-SHA
>
> Everything else is under 500, and the next 2 are the top 2 TLSv1.2 without GCM.

From today's log only (the rest are compressed):

402 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
110 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
106 TLSv1 with cipher ADH-CAMELLIA256-SHA
54 TLSv1 with cipher DHE-RSA-AES256-SHA
32 TLSv1.2 with cipher AECDH-AES256-SHA
28 TLSv1 with cipher ECDHE-RSA-AES128-SHA
18 TLSv1 with cipher ECDHE-RSA-AES256-SHA
16 TLSv1 with cipher AES256-SHA
12 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384
4 TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA
4 TLSv1 with cipher ADH-AES256-SHA

This is Postfix 3.2.0 with untouched default cipher settings.

--
Phil Stracchino
Babylon Communications
[hidden email]
[hidden email]
Landline: 603.293.8485

Philip Paeps

Re: ECDSA and RSA: setting preference

In reply to this post by @lbutlr

On 2017-04-13 08:16:29 (-0600), @lbutlr <[hidden email]> wrote:

>On 2017-04-13 (07:50 MDT), Philip Paeps <[hidden email]> wrote:
>> egrep "TLS connection established from.*with cipher" \
>> /var/log/maillog* | awk \
>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
>> sort | uniq -c | sort -n
>
>Interesting. Ran this over a few days of logs:
>
>5288 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
>4633 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
>2343 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
>1527 TLSv1 with cipher ECDHE-RSA-AES128-SHA
>1250 TLSv1.2 with cipher AECDH-AES256-SHA
>
>Everything else is under 500, and the next 2 are the top 2 TLSv1.2 without GCM.

That's a pretty good situation to be in. :)

I've been trying to reach out to the RC4-MD5 users who are unfortunately
still in the top 10 of one of the mail systems I manage.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Zbyszek Żółkiewski

Re: ECDSA and RSA: setting preference

In reply to this post by Philip Paeps

all looks good except _outgoing_ mail that still uses ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using ECDHE-ECDSA-AES256-GCM-SHA384.

so where is problem ? settings are:

smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 16:04:
>
> On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:
>>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 15:50:
>>> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:
>>>> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33:
>>>>> Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails.
>>>>> To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…).
>>>>> Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…
>>>>
>>>> I think i found solution to this, by modifying default high list to:
>>>>
>>>> tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>>>>
>>>> server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk?
>>>
>>> This poses an interoperability risk. You should carefully check your maillogs for the ciphers you're excluding with this.
>>>
>>> Try something like:
>>>
>>> egrep "TLS connection established from.*with cipher" \
>>> /var/log/maillog* | awk \
>>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
>>> sort | uniq -c | sort -n
>>>
>>> This will give you a list of ciphers negotiated by occurence.
>>>
>>> I would not recommend fiddling with the default TLS cipherlists unless you have a very specific need.
>>>
>>> Note that many senders will fall back to plain SMTP if they can't negotiate TLS with you. I feel a little security is better than no security at all.
>>
>> thanks for the comment. But please not that i am using defaults postfix „high” settings - my only change is to force ECDSA at the beginning of the cipher list.
>
> Sorry. I missed that you were on Postfix 2.11. I looked at ``postconf -d tls_high_cipherlist`` on my Postfix 3.1.4 installation and it does not list !MEDIUM or +RC4.
>
>> adding ECDSA causes to change order only to the defaults. This could be also some kind of feature requests to postfix maintainers - to have option to sort (not change) cipher list.
>
> You can achieve that using ``tls_{high,medium,low}_cipherlist`` together with ``tls_preempt_cipherlist = yes``. I don't really think Postfix is the correct place to sort ciphers by preference. That's something to do in OpenSSL.
>
> Philip
>
> --
> Philip Paeps
> Senior Reality Engineer
> Ministry of Information

Philip Paeps

Re: ECDSA and RSA: setting preference

On 2017-04-13 17:28:44 (+0200), Zbyszek Żółkiewski
<[hidden email]> wrote:

>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu
>> 13.04.2017, o godz. 16:04:
>> On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski
>> <[hidden email]> wrote:
>>>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu
>>>> 13.04.2017, o godz. 15:50:
>>>> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski
>>>> <[hidden email]> wrote:
>>>>> Wiadomość napisana przez Zbyszek Żółkiewski
>>>>> <[hidden email]> w dniu 13.04.2017, o godz. 13:33:
>>>>>> Question: postfix 2.11: I have configured both RSA and ECDSA
>>>>>> support on the server (smtpd_tls_cert_file and
>>>>>> smtpd_tls_eccert_file) and support for ECDSA works great -
>>>>>> however ECDSA is _never_ selected as cipher for sending or
>>>>>> receiving mails.
>>>>>> To check if it is properly configured i have disabled RSA support
>>>>>> and running server only with ECDSA and i confirm it works with
>>>>>> gmail servers for example (cipher ECDHE-ECDSA…).
>>>>>> Is there any way i can force postfix to first try ECDHE-ECDSA…
>>>>>> and then fallback to RSA? Note, i have tried custom
>>>>>> tls_high_cipherlist but no luck…
>>>>>
>>>>> I think i found solution to this, by modifying default high list
>>>>> to:
>>>>>
>>>>> tls_high_cipherlist =
>>>>> ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>>>>>
>>>>> server now prefers ECDSA over RSA. Can someone cross-check if that
>>>>> is correct solution for a problem and not pose any risk?
>>>>
>>>> This poses an interoperability risk. You should carefully check
>>>> your maillogs for the ciphers you're excluding with this.
>>>>
>>>> [...]
>>>>
>>>> Note that many senders will fall back to plain SMTP if they can't
>>>> negotiate TLS with you. I feel a little security is better than no
>>>> security at all.
>>>
>>> thanks for the comment. But please not that i am using defaults
>>> postfix „high” settings - my only change is to force ECDSA at
>>> the beginning of the cipher list.
>>
>> Sorry. I missed that you were on Postfix 2.11. I looked at
>> ``postconf -d tls_high_cipherlist`` on my Postfix 3.1.4 installation
>> and it does not list !MEDIUM or +RC4.
>>
>>> adding ECDSA causes to change order only to the defaults. This could
>>> be also some kind of feature requests to postfix maintainers - to
>>> have option to sort (not change) cipher list.
>>
>> You can achieve that using ``tls_{high,medium,low}_cipherlist``
>> together with ``tls_preempt_cipherlist = yes``. I don't really think
>> Postfix is the correct place to sort ciphers by preference. That's
>> something to do in OpenSSL.
>
> all looks good except _outgoing_ mail that still uses
> ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using
> ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using
> ECDHE-ECDSA-AES256-GCM-SHA384.

Are you sure the servers you are talking to actually support ECDSA? :)

Did you check the TLS handshake with tcpdump to verify the cipherlist
offered by the server? By default TLS servers allow clients to select
their preferred cipher but they can override this default.

> so where is problem ? settings are:
>
> smtp_tls_ciphers = high
> smtp_tls_mandatory_ciphers = high
> smtpd_tls_ciphers = high
> smtpd_tls_mandatory_ciphers = high
> tls_high_cipherlist =
> ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

These settings look fine. You could perhaps add
``tls_preempt_cipherlist`` but this only affects smtpd, it has no effect
on the smtp client.

Please check the TLS handshake to verify the ordering of ciphers in the
client hello and whether the server offers ECDSA in the server hello and
that it doesn't preempt the client's offered ciphers.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Viktor Dukhovni

Re: ECDSA and RSA: setting preference

In reply to this post by Zbyszek Żółkiewski

> On Apr 13, 2017, at 7:33 AM, Zbyszek Żółkiewski <[hidden email]> wrote:
>
> Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails.
> To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…).
> Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck…

OpenSSL prefers ECDSA to RSA by default. However, it also generally
accepts the client's cipher preference order. To use the server's
preference list set:

$ tls_preempt_cipherlist = yes

DO NOT change the "tls_{high,medium,...}_cipherlist" settings.

--
Viktor.

Viktor Dukhovni

Re: ECDSA and RSA: setting preference

In reply to this post by Zbyszek Żółkiewski

> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski <[hidden email]> wrote:
>
> all looks good except _outgoing_ mail that still uses ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using ECDHE-ECDSA-AES256-GCM-SHA384.
>
> so where is problem ? settings are:
>
> smtp_tls_ciphers = high
> smtp_tls_mandatory_ciphers = high
> smtpd_tls_ciphers = high
> smtpd_tls_mandatory_ciphers = high
> tls_high_cipherlist = ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

Please stop.

In trying to make your server "more secure" you're making it less secure.
See https://tools.ietf.org/html/rfc7435 for why.

The reason outgoing mail is not using ECDSA is that almost nobody has configured
ECDSA certificates along with their RSA certificates on their MX hosts. No matter
how fancy your SMTP client configuration the server won't suddenly acquire an ECDSA
key-pair.

The fewer changes you make to the Postfix TLS cipher settings, the more likely
you're to have a reasonably secure and interoperable configuration.

It is at this time not unreasonable to set "tls_preempt_cipherlist = yes" if
some of your SMTP clients have "poor" cipher preferences.

You can also exclude some truly obsolete ciphers via:

smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

which makes for a more compact TLS ClientHello. This is generally not
needed. Some of these exclusions might happen by default in a future
Postfix release. The MD5, kDH and kECDH ciphers are largely gone from
OpenSSL 1.1.0 and later. Only the eNULL MD5 cipher remains:

$ openssl ciphers -v MD5:kDH:kECDH
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5

--
Viktor.

Zbyszek Żółkiewski

Re: ECDSA and RSA: setting preference

_
Zbyszek Żółkiewski

> Wiadomość napisana przez Viktor Dukhovni <[hidden email]> w dniu 13.04.2017, o godz. 19:21:
>
>
>> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski <[hidden email]> wrote:
>>
>> all looks good except _outgoing_ mail that still uses ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using ECDHE-ECDSA-AES256-GCM-SHA384.
>>
>> so where is problem ? settings are:
>>
>> smtp_tls_ciphers = high
>> smtp_tls_mandatory_ciphers = high
>> smtpd_tls_ciphers = high
>> smtpd_tls_mandatory_ciphers = high
>> tls_high_cipherlist = ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
>
> Please stop.
>
> In trying to make your server "more secure" you're making it less secure.
> See https://tools.ietf.org/html/rfc7435 for why.
>
> The reason outgoing mail is not using ECDSA is that almost nobody has configured
> ECDSA certificates along with their RSA certificates on their MX hosts. No matter
> how fancy your SMTP client configuration the server won't suddenly acquire an ECDSA
> key-pair.
>

Thanks for the insights,

gmail for example works as i mentioned before. Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH” is a default postfix configuration - and i do not change it - just by adding ECDSA at the beginning, i am changing order of ciphers.

And you stated that "OpenSSL prefers ECDSA to RSA by default.” - that’s not true, you can see yourself in openssl ciphers command:

openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:……..

that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and ECDHE-ECDSA (i guess order is because that suite is similar in strength, maybe)

> The fewer changes you make to the Postfix TLS cipher settings, the more likely
> you're to have a reasonably secure and interoperable configuration.
>
> It is at this time not unreasonable to set "tls_preempt_cipherlist = yes" if
> some of your SMTP clients have "poor" cipher preferences.
>
> You can also exclude some truly obsolete ciphers via:
>
> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
>
> which makes for a more compact TLS ClientHello. This is generally not
> needed. Some of these exclusions might happen by default in a future
> Postfix release. The MD5, kDH and kECDH ciphers are largely gone from
> OpenSSL 1.1.0 and later. Only the eNULL MD5 cipher remains:
>
> $ openssl ciphers -v MD5:kDH:kECDH
> NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
>
> --
> Viktor.
>

Zbyszek Żółkiewski

Re: ECDSA and RSA: setting preference

In reply to this post by Philip Paeps

Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 19:46:
>
> How did you test it without RSA? If I try to connect to Google without RSA support (aNULL:-aNULL:HIGH:-aRSA:@STRENGTH), it fails to negotiate a cipher and the connection drops.
>
> As pointed out though: this really is not making anything more secure...

Sorry if i was not accurate with „RSA” - by that I did not have in mind RSA cipher suite but RSA certificate. If you replace RSA certificate with EC - you will see that all connections to google are made using ECDSA (or just leave smtpd_tls_eccert_file and comment out RSA cert)

And as the note that it not make things secure: yes i understand that - but if there is technology that is new and can be used - why not prioritize it where it can be? What’s the point then introducing new stuff if nobody uses it? In my opinion we should push new things, not hide it.

Viktor Dukhovni

Re: ECDSA and RSA: setting preference

In reply to this post by Zbyszek Żółkiewski

> On Apr 13, 2017, at 1:49 PM, Zbyszek Żółkiewski <[hidden email]> wrote:
>
> Thanks for the insights,
>
> Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH”
> is a default postfix configuration

Yes, I set that default...

> - and i do not change it - just by adding ECDSA at the beginning, i am changing order of ciphers.

That's a change.

> And you stated that "OpenSSL prefers ECDSA to RSA by default.”

It is true, when all the other factors that go into cipher selection
are equal. Strong key exchange, ... takes precedence over the
public key (authentication) algorithm preference.

With OpenSSL 1.1.0, the top few ciphers are:

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD

Note that ECDSA ciphers precede the *otherwise equivalent* RSA ciphers.

> openssl ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:……..

Yes, RSA was preferred in OpenSSL <= 1.0.2.

> that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and ECDHE-ECDSA (i guess order is because that suite is similar in strength, maybe)

Your main security risk is weak key agreement, not weak authentication.
It is unlikely that your CPU overtaxed doing RSA handshakes. It is
simplest to let the RSA preference of OpenSSL 1.0.x stand.

Getting the cipher order right with ECDSA preferred over RSA for otherwise
equivalent and *sensibly ordered* parameters requires more care than is
worth the effort.

The supported ciphers change with time, and the entire cipher selection
process changes completely with TLS 1.3.

Just let the defaults stand. Yes, your ECDSA certificate will rarely
be used (actually with "tls_preempt_cipherlist = no", some OpenSSL >= 1.1.0
clients will prefer ECDSA, if they don't prefer aNULL instead).

--
Viktor.

Zbyszek Żółkiewski

Re: ECDSA and RSA: setting preference

In reply to this post by Zbyszek Żółkiewski

Wiadomość napisana przez Viktor Dukhovni <[hidden email]> w dniu 13.04.2017, o godz. 20:35:
>
>
>> On Apr 13, 2017, at 1:55 PM, Zbyszek Żółkiewski <[hidden email]> wrote:
>>
>> And as the note that it not make things secure: yes i understand that - but if there is technology that is new and can be used - why not prioritize it where it can be? What’s the point then introducing new stuff if nobody uses it? In my opinion we should push new things, not hide it.
>
> If you want new, deploy a system that uses OpenSSL 1.1.0, and not OpenSSL
> 1.0.1, which reached end-of-life in Dec 2016 and gets no further security
> fixes.

I hope to get there with next stable release

>
> In any case, in opportunistic security broad interoperability is far more
> useful than cutting-edge sophistication. Let the browsers and other
> software push the envelope with new algorithms, and over time these will
> become the norm in the underlying crypto libraries.

I think SMTP get too old and it will get even older and more obsolete if we will not put newtech/cutting edge into it. Even with hard push to enable encryption by default - we all know it will take many years until sysadmins decide to go „encrypt only” with smtp servers - there always will be someone who use old software. At some point community will have to decide to drop those who left too far behind.

>
> It makes little sense to expend precious energy on optimizing (best-effort)
> TLS in SMTP. If you want security, deploy DNSSEC and DANE for your domain:

yes, maybe my desire to prefer ECDSA was/is not worth of effort - at last, I just wanted to be used more - but it roll into nice discussion anyways

>
> http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
> https://www.ietf.org/mail-archive/web/uta/current/msg01498.html
> https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
> https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
> https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
> http://tools.ietf.org/html/rfc7671#section-8.1
> http://tools.ietf.org/html/rfc7671#section-8.4
> http://dane.sys4.de/common_mistakes
>

thanks for the reference - i am tight to AWS R53 with some features

> That makes a real difference, while it is far from clear whether ECDSA is
> actually more or less secure than RSA. Of course deploying DANE means
> getting the operational details right:
>
> * Monitoring of TLSA record validity (match the actual server cert chain)
> * Monitoring of DNSSEC DS/DNSKEY records and signature non-expiration
> * Reliable key rotation
> * …

running good SMTP server is a serious job but also compelling

>
> This takes some skill to get right.
>
> --
> Viktor.
>

_
Zbyszek Żółkiewski

@lbutlr

Re: ECDSA and RSA: setting preference

In reply to this post by Phil Stracchino

On 2017-04-13 (08:54 MDT), Phil Stracchino <[hidden email]> wrote:
>
> From today's log only (the rest are compressed):

bzgrep "TLS connection established from.*with cipher” \
/var/log/maillog.{0..14}.bz2 | \
awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \
sort | uniq -c | sort -rn

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

@lbutlr

Re: ECDSA and RSA: setting preference

In reply to this post by Viktor Dukhovni

On 2017-04-13 (11:21 MDT), Viktor Dukhovni <[hidden email]> wrote:
>
> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

I have these, but also LOW, EXPORT, and RC4. Are these not needed?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Philip Paeps

Re: ECDSA and RSA: setting preference

On 2017-04-19 13:33:13 (+0200), @lbutlr <[hidden email]> wrote:
> On 2017-04-13 (11:21 MDT), Viktor Dukhovni
> <[hidden email]> wrote:
>> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2,
>> RC5
>
> I have these, but also LOW, EXPORT, and RC4. Are these not needed?

That depends on the versions of Postfix and OpenSSL on your system and
on how much you care about interoperability. While RC4-MD5 should no
longer be used for anything, there are still a lot of mailservers out
there that don't know any better. When you don't offer them RC4-MD5,
they will fall back to plain text. Even RC4-MD5 is better than that.

In general, you should probably leave this setting alone unless you have
a very specify reason to change it. And even then, you will likely be
better served with an entry in `smtp_tls_policy_maps` overriding the
default for a specific destination.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Viktor Dukhovni

Re: ECDSA and RSA: setting preference

> On Apr 19, 2017, at 7:45 AM, Philip Paeps <[hidden email]> wrote:
>
>>> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
>>
>> I have these, but also LOW, EXPORT, and RC4. Are these not needed?

Reasonably current Postfix releases have "smtp_tls_ciphers = medium", which
already excludes LOW and EXPORT. As for RC4, I've not seen any RC4-only
systems for some time. I was thinking of removing RC4 in Postfix this
year, but given that it is being disabled at compile-time in the latest
OpenSSL, and that the bias in the first 256 bytes of output is not a major
issue for SMTP, I'm inclined to let RC4 fade away over time as users upgrade
OpenSSL.

--
Viktor.