Hi all,
Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails. To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…). Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck… thanks, _ Zbyszek Żółkiewski |
I think i found solution to this, by modifying default high list to:
tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk? thanks, _ Zbyszek Żółkiewski > Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33: > > Hi all, > > Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails. > To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…). > Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck… > > thanks, > > _ > Zbyszek Żółkiewski > |
On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:
> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33: >>Question: postfix 2.11: I have configured both RSA and ECDSA support >>on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and >>support for ECDSA works great - however ECDSA is _never_ selected as >>cipher for sending or receiving mails. >>To check if it is properly configured i have disabled RSA support and >>running server only with ECDSA and i confirm it works with gmail >>servers for example (cipher ECDHE-ECDSA…). >>Is there any way i can force postfix to first try ECDHE-ECDSA… and >>then fallback to RSA? Note, i have tried custom tls_high_cipherlist >>but no luck… > >I think i found solution to this, by modifying default high list to: > >tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH > >server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk? This poses an interoperability risk. You should carefully check your maillogs for the ciphers you're excluding with this. Try something like: egrep "TLS connection established from.*with cipher" \ /var/log/maillog* | awk \ '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ sort | uniq -c | sort -n This will give you a list of ciphers negotiated by occurence. I would not recommend fiddling with the default TLS cipherlists unless you have a very specific need. Note that many senders will fall back to plain SMTP if they can't negotiate TLS with you. I feel a little security is better than no security at all. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information |
thanks for the comment. But please not that i am using defaults postfix „high” settings - my only change is to force ECDSA at the beginning of the cipher list.
Full list from openssl is: ciphers 'ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH’ ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-ECDSA-NULL-SHA adding ECDSA causes to change order only to the defaults. This could be also some kind of feature requests to postfix maintainers - to have option to sort (not change) cipher list. Side note: it’s weird having @STRENGTH while it do not actually sort ciphers…. (not sure that is bug in openssl or what…) _ Zbyszek Żółkiewski > Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 15:50: > > On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote: >> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33: >>> Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails. >>> To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…). >>> Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck… >> >> I think i found solution to this, by modifying default high list to: >> >> tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH >> >> server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk? > > This poses an interoperability risk. You should carefully check your maillogs for the ciphers you're excluding with this. > > Try something like: > > egrep "TLS connection established from.*with cipher" \ > /var/log/maillog* | awk \ > '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ > sort | uniq -c | sort -n > > This will give you a list of ciphers negotiated by occurence. > > I would not recommend fiddling with the default TLS cipherlists unless you have a very specific need. > > Note that many senders will fall back to plain SMTP if they can't negotiate TLS with you. I feel a little security is better than no security at all. > > Philip > > -- > Philip Paeps > Senior Reality Engineer > Ministry of Information |
On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote:
>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 15:50: >> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote: >>> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33: >>>>Question: postfix 2.11: I have configured both RSA and ECDSA support >>>>on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and >>>>support for ECDSA works great - however ECDSA is _never_ selected as >>>>cipher for sending or receiving mails. >>>>To check if it is properly configured i have disabled RSA support >>>>and running server only with ECDSA and i confirm it works with gmail >>>>servers for example (cipher ECDHE-ECDSA…). >>>>Is there any way i can force postfix to first try ECDHE-ECDSA… and >>>>then fallback to RSA? Note, i have tried custom tls_high_cipherlist >>>>but no luck… >>> >>>I think i found solution to this, by modifying default high list to: >>> >>> tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH >>> >>>server now prefers ECDSA over RSA. Can someone cross-check if that is >>>correct solution for a problem and not pose any risk? >> >>This poses an interoperability risk. You should carefully check your >>maillogs for the ciphers you're excluding with this. >> >>Try something like: >> >> egrep "TLS connection established from.*with cipher" \ >> /var/log/maillog* | awk \ >> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ >> sort | uniq -c | sort -n >> >>This will give you a list of ciphers negotiated by occurence. >> >>I would not recommend fiddling with the default TLS cipherlists unless >>you have a very specific need. >> >>Note that many senders will fall back to plain SMTP if they can't >>negotiate TLS with you. I feel a little security is better than no >>security at all. > >thanks for the comment. But please not that i am using defaults postfix >„high” settings - my only change is to force ECDSA at the beginning of >the cipher list. Sorry. I missed that you were on Postfix 2.11. I looked at ``postconf -d tls_high_cipherlist`` on my Postfix 3.1.4 installation and it does not list !MEDIUM or +RC4. >adding ECDSA causes to change order only to the defaults. This could be >also some kind of feature requests to postfix maintainers - to have >option to sort (not change) cipher list. You can achieve that using ``tls_{high,medium,low}_cipherlist`` together with ``tls_preempt_cipherlist = yes``. I don't really think Postfix is the correct place to sort ciphers by preference. That's something to do in OpenSSL. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information |
In reply to this post by Philip Paeps
On 2017-04-13 (07:50 MDT), Philip Paeps <[hidden email]> wrote:
> > egrep "TLS connection established from.*with cipher" \ > /var/log/maillog* | awk \ > '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ > sort | uniq -c | sort -n Interesting. Ran this over a few days of logs: 5288 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 4633 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 2343 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 1527 TLSv1 with cipher ECDHE-RSA-AES128-SHA 1250 TLSv1.2 with cipher AECDH-AES256-SHA Everything else is under 500, and the next 2 are the top 2 TLSv1.2 without GCM. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures. |
On 04/13/17 10:16, @lbutlr wrote:
> On 2017-04-13 (07:50 MDT), Philip Paeps <[hidden email]> wrote: >> >> egrep "TLS connection established from.*with cipher" \ >> /var/log/maillog* | awk \ >> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ >> sort | uniq -c | sort -n > > Interesting. Ran this over a few days of logs: > > 5288 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > 4633 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 > 2343 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 > 1527 TLSv1 with cipher ECDHE-RSA-AES128-SHA > 1250 TLSv1.2 with cipher AECDH-AES256-SHA > > Everything else is under 500, and the next 2 are the top 2 TLSv1.2 without GCM. From today's log only (the rest are compressed): 402 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 110 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 106 TLSv1 with cipher ADH-CAMELLIA256-SHA 54 TLSv1 with cipher DHE-RSA-AES256-SHA 32 TLSv1.2 with cipher AECDH-AES256-SHA 28 TLSv1 with cipher ECDHE-RSA-AES128-SHA 18 TLSv1 with cipher ECDHE-RSA-AES256-SHA 16 TLSv1 with cipher AES256-SHA 12 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 4 TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA 4 TLSv1 with cipher ADH-AES256-SHA This is Postfix 3.2.0 with untouched default cipher settings. -- Phil Stracchino Babylon Communications [hidden email] [hidden email] Landline: 603.293.8485 |
In reply to this post by @lbutlr
On 2017-04-13 08:16:29 (-0600), @lbutlr <[hidden email]> wrote:
>On 2017-04-13 (07:50 MDT), Philip Paeps <[hidden email]> wrote: >> egrep "TLS connection established from.*with cipher" \ >> /var/log/maillog* | awk \ >> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ >> sort | uniq -c | sort -n > >Interesting. Ran this over a few days of logs: > >5288 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 >4633 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 >2343 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 >1527 TLSv1 with cipher ECDHE-RSA-AES128-SHA >1250 TLSv1.2 with cipher AECDH-AES256-SHA > >Everything else is under 500, and the next 2 are the top 2 TLSv1.2 without GCM. That's a pretty good situation to be in. :) I've been trying to reach out to the RC4-MD5 users who are unfortunately still in the top 10 of one of the mail systems I manage. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information |
In reply to this post by Philip Paeps
all looks good except _outgoing_ mail that still uses ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using ECDHE-ECDSA-AES256-GCM-SHA384.
so where is problem ? settings are: smtp_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high tls_high_cipherlist = ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH _ Zbyszek Żółkiewski > Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 16:04: > > On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote: >>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 15:50: >>> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski <[hidden email]> wrote: >>>> Wiadomość napisana przez Zbyszek Żółkiewski <[hidden email]> w dniu 13.04.2017, o godz. 13:33: >>>>> Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails. >>>>> To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…). >>>>> Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck… >>>> >>>> I think i found solution to this, by modifying default high list to: >>>> >>>> tls_high_cipherlist = ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH >>>> >>>> server now prefers ECDSA over RSA. Can someone cross-check if that is correct solution for a problem and not pose any risk? >>> >>> This poses an interoperability risk. You should carefully check your maillogs for the ciphers you're excluding with this. >>> >>> Try something like: >>> >>> egrep "TLS connection established from.*with cipher" \ >>> /var/log/maillog* | awk \ >>> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ >>> sort | uniq -c | sort -n >>> >>> This will give you a list of ciphers negotiated by occurence. >>> >>> I would not recommend fiddling with the default TLS cipherlists unless you have a very specific need. >>> >>> Note that many senders will fall back to plain SMTP if they can't negotiate TLS with you. I feel a little security is better than no security at all. >> >> thanks for the comment. But please not that i am using defaults postfix „high” settings - my only change is to force ECDSA at the beginning of the cipher list. > > Sorry. I missed that you were on Postfix 2.11. I looked at ``postconf -d tls_high_cipherlist`` on my Postfix 3.1.4 installation and it does not list !MEDIUM or +RC4. > >> adding ECDSA causes to change order only to the defaults. This could be also some kind of feature requests to postfix maintainers - to have option to sort (not change) cipher list. > > You can achieve that using ``tls_{high,medium,low}_cipherlist`` together with ``tls_preempt_cipherlist = yes``. I don't really think Postfix is the correct place to sort ciphers by preference. That's something to do in OpenSSL. > > Philip > > -- > Philip Paeps > Senior Reality Engineer > Ministry of Information |
On 2017-04-13 17:28:44 (+0200), Zbyszek Żółkiewski
<[hidden email]> wrote: >> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu >> 13.04.2017, o godz. 16:04: >> On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski >> <[hidden email]> wrote: >>>> Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu >>>> 13.04.2017, o godz. 15:50: >>>> On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski >>>> <[hidden email]> wrote: >>>>> Wiadomość napisana przez Zbyszek Żółkiewski >>>>> <[hidden email]> w dniu 13.04.2017, o godz. 13:33: >>>>>> Question: postfix 2.11: I have configured both RSA and ECDSA >>>>>> support on the server (smtpd_tls_cert_file and >>>>>> smtpd_tls_eccert_file) and support for ECDSA works great - >>>>>> however ECDSA is _never_ selected as cipher for sending or >>>>>> receiving mails. >>>>>> To check if it is properly configured i have disabled RSA support >>>>>> and running server only with ECDSA and i confirm it works with >>>>>> gmail servers for example (cipher ECDHE-ECDSA…). >>>>>> Is there any way i can force postfix to first try ECDHE-ECDSA… >>>>>> and then fallback to RSA? Note, i have tried custom >>>>>> tls_high_cipherlist but no luck… >>>>> >>>>> I think i found solution to this, by modifying default high list >>>>> to: >>>>> >>>>> tls_high_cipherlist = >>>>> ECDSA:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH >>>>> >>>>> server now prefers ECDSA over RSA. Can someone cross-check if that >>>>> is correct solution for a problem and not pose any risk? >>>> >>>> This poses an interoperability risk. You should carefully check >>>> your maillogs for the ciphers you're excluding with this. >>>> >>>> [...] >>>> >>>> Note that many senders will fall back to plain SMTP if they can't >>>> negotiate TLS with you. I feel a little security is better than no >>>> security at all. >>> >>> thanks for the comment. But please not that i am using defaults >>> postfix „high” settings - my only change is to force ECDSA at >>> the beginning of the cipher list. >> >> Sorry. I missed that you were on Postfix 2.11. I looked at >> ``postconf -d tls_high_cipherlist`` on my Postfix 3.1.4 installation >> and it does not list !MEDIUM or +RC4. >> >>> adding ECDSA causes to change order only to the defaults. This could >>> be also some kind of feature requests to postfix maintainers - to >>> have option to sort (not change) cipher list. >> >> You can achieve that using ``tls_{high,medium,low}_cipherlist`` >> together with ``tls_preempt_cipherlist = yes``. I don't really think >> Postfix is the correct place to sort ciphers by preference. That's >> something to do in OpenSSL. > > all looks good except _outgoing_ mail that still uses > ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using > ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using > ECDHE-ECDSA-AES256-GCM-SHA384. Are you sure the servers you are talking to actually support ECDSA? :) Did you check the TLS handshake with tcpdump to verify the cipherlist offered by the server? By default TLS servers allow clients to select their preferred cipher but they can override this default. > so where is problem ? settings are: > > smtp_tls_ciphers = high > smtp_tls_mandatory_ciphers = high > smtpd_tls_ciphers = high > smtpd_tls_mandatory_ciphers = high > tls_high_cipherlist = > ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH These settings look fine. You could perhaps add ``tls_preempt_cipherlist`` but this only affects smtpd, it has no effect on the smtp client. Please check the TLS handshake to verify the ordering of ciphers in the client hello and whether the server offers ECDSA in the server hello and that it doesn't preempt the client's offered ciphers. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information |
In reply to this post by Zbyszek Żółkiewski
> On Apr 13, 2017, at 7:33 AM, Zbyszek Żółkiewski <[hidden email]> wrote: > > Question: postfix 2.11: I have configured both RSA and ECDSA support on the server (smtpd_tls_cert_file and smtpd_tls_eccert_file) and support for ECDSA works great - however ECDSA is _never_ selected as cipher for sending or receiving mails. > To check if it is properly configured i have disabled RSA support and running server only with ECDSA and i confirm it works with gmail servers for example (cipher ECDHE-ECDSA…). > Is there any way i can force postfix to first try ECDHE-ECDSA… and then fallback to RSA? Note, i have tried custom tls_high_cipherlist but no luck… OpenSSL prefers ECDSA to RSA by default. However, it also generally accepts the client's cipher preference order. To use the server's preference list set: $ tls_preempt_cipherlist = yes DO NOT change the "tls_{high,medium,...}_cipherlist" settings. -- Viktor. |
In reply to this post by Zbyszek Żółkiewski
> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski <[hidden email]> wrote: > > all looks good except _outgoing_ mail that still uses ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using ECDHE-ECDSA-AES256-GCM-SHA384. > > so where is problem ? settings are: > > smtp_tls_ciphers = high > smtp_tls_mandatory_ciphers = high > smtpd_tls_ciphers = high > smtpd_tls_mandatory_ciphers = high > tls_high_cipherlist = ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH Please stop. In trying to make your server "more secure" you're making it less secure. See https://tools.ietf.org/html/rfc7435 for why. The reason outgoing mail is not using ECDSA is that almost nobody has configured ECDSA certificates along with their RSA certificates on their MX hosts. No matter how fancy your SMTP client configuration the server won't suddenly acquire an ECDSA key-pair. The fewer changes you make to the Postfix TLS cipher settings, the more likely you're to have a reasonably secure and interoperable configuration. It is at this time not unreasonable to set "tls_preempt_cipherlist = yes" if some of your SMTP clients have "poor" cipher preferences. You can also exclude some truly obsolete ciphers via: smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 which makes for a more compact TLS ClientHello. This is generally not needed. Some of these exclusions might happen by default in a future Postfix release. The MD5, kDH and kECDH ciphers are largely gone from OpenSSL 1.1.0 and later. Only the eNULL MD5 cipher remains: $ openssl ciphers -v MD5:kDH:kECDH NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 -- Viktor. |
_
Zbyszek Żółkiewski > Wiadomość napisana przez Viktor Dukhovni <[hidden email]> w dniu 13.04.2017, o godz. 19:21: > > >> On Apr 13, 2017, at 11:28 AM, Zbyszek Żółkiewski <[hidden email]> wrote: >> >> all looks good except _outgoing_ mail that still uses ECDHE-RSA-AES128-GCM-SHA256. Incoming mail is using ECDHE-ECDSA-AES256-GCM-SHA384 and clients as well are using ECDHE-ECDSA-AES256-GCM-SHA384. >> >> so where is problem ? settings are: >> >> smtp_tls_ciphers = high >> smtp_tls_mandatory_ciphers = high >> smtpd_tls_ciphers = high >> smtpd_tls_mandatory_ciphers = high >> tls_high_cipherlist = ECDSA:AESGCM:aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH > > Please stop. > > In trying to make your server "more secure" you're making it less secure. > See https://tools.ietf.org/html/rfc7435 for why. > > The reason outgoing mail is not using ECDSA is that almost nobody has configured > ECDSA certificates along with their RSA certificates on their MX hosts. No matter > how fancy your SMTP client configuration the server won't suddenly acquire an ECDSA > key-pair. > Thanks for the insights, gmail for example works as i mentioned before. Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH” is a default postfix configuration - and i do not change it - just by adding ECDSA at the beginning, i am changing order of ciphers. And you stated that "OpenSSL prefers ECDSA to RSA by default.” - that’s not true, you can see yourself in openssl ciphers command: openssl ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:…….. that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and ECDHE-ECDSA (i guess order is because that suite is similar in strength, maybe) > The fewer changes you make to the Postfix TLS cipher settings, the more likely > you're to have a reasonably secure and interoperable configuration. > > It is at this time not unreasonable to set "tls_preempt_cipherlist = yes" if > some of your SMTP clients have "poor" cipher preferences. > > You can also exclude some truly obsolete ciphers via: > > smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 > > which makes for a more compact TLS ClientHello. This is generally not > needed. Some of these exclusions might happen by default in a future > Postfix release. The MD5, kDH and kECDH ciphers are largely gone from > OpenSSL 1.1.0 and later. Only the eNULL MD5 cipher remains: > > $ openssl ciphers -v MD5:kDH:kECDH > NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 > > -- > Viktor. > |
In reply to this post by Philip Paeps
Wiadomość napisana przez Philip Paeps <[hidden email]> w dniu 13.04.2017, o godz. 19:46:
> > How did you test it without RSA? If I try to connect to Google without RSA support (aNULL:-aNULL:HIGH:-aRSA:@STRENGTH), it fails to negotiate a cipher and the connection drops. > > As pointed out though: this really is not making anything more secure... Sorry if i was not accurate with „RSA” - by that I did not have in mind RSA cipher suite but RSA certificate. If you replace RSA certificate with EC - you will see that all connections to google are made using ECDSA (or just leave smtpd_tls_eccert_file and comment out RSA cert) And as the note that it not make things secure: yes i understand that - but if there is technology that is new and can be used - why not prioritize it where it can be? What’s the point then introducing new stuff if nobody uses it? In my opinion we should push new things, not hide it. |
In reply to this post by Zbyszek Żółkiewski
> On Apr 13, 2017, at 1:49 PM, Zbyszek Żółkiewski <[hidden email]> wrote: > > Thanks for the insights, > > Please note that "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH” > is a default postfix configuration Yes, I set that default... > - and i do not change it - just by adding ECDSA at the beginning, i am changing order of ciphers. That's a change. > And you stated that "OpenSSL prefers ECDSA to RSA by default.” It is true, when all the other factors that go into cipher selection are equal. Strong key exchange, ... takes precedence over the public key (authentication) algorithm preference. With OpenSSL 1.1.0, the top few ciphers are: ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD Note that ECDSA ciphers precede the *otherwise equivalent* RSA ciphers. > openssl ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:…….. Yes, RSA was preferred in OpenSSL <= 1.0.2. > that is openssl 1.0.1 (debian 8), openssl in fact mix ECDHE-RSA and ECDHE-ECDSA (i guess order is because that suite is similar in strength, maybe) Your main security risk is weak key agreement, not weak authentication. It is unlikely that your CPU overtaxed doing RSA handshakes. It is simplest to let the RSA preference of OpenSSL 1.0.x stand. Getting the cipher order right with ECDSA preferred over RSA for otherwise equivalent and *sensibly ordered* parameters requires more care than is worth the effort. The supported ciphers change with time, and the entire cipher selection process changes completely with TLS 1.3. Just let the defaults stand. Yes, your ECDSA certificate will rarely be used (actually with "tls_preempt_cipherlist = no", some OpenSSL >= 1.1.0 clients will prefer ECDSA, if they don't prefer aNULL instead). -- Viktor. |
In reply to this post by Zbyszek Żółkiewski
Wiadomość napisana przez Viktor Dukhovni <[hidden email]> w dniu 13.04.2017, o godz. 20:35:
> > >> On Apr 13, 2017, at 1:55 PM, Zbyszek Żółkiewski <[hidden email]> wrote: >> >> And as the note that it not make things secure: yes i understand that - but if there is technology that is new and can be used - why not prioritize it where it can be? What’s the point then introducing new stuff if nobody uses it? In my opinion we should push new things, not hide it. > > If you want new, deploy a system that uses OpenSSL 1.1.0, and not OpenSSL > 1.0.1, which reached end-of-life in Dec 2016 and gets no further security > fixes. I hope to get there with next stable release > > In any case, in opportunistic security broad interoperability is far more > useful than cutting-edge sophistication. Let the browsers and other > software push the envelope with new algorithms, and over time these will > become the norm in the underlying crypto libraries. I think SMTP get too old and it will get even older and more obsolete if we will not put newtech/cutting edge into it. Even with hard push to enable encryption by default - we all know it will take many years until sysadmins decide to go „encrypt only” with smtp servers - there always will be someone who use old software. At some point community will have to decide to drop those who left too far behind. > > It makes little sense to expend precious energy on optimizing (best-effort) > TLS in SMTP. If you want security, deploy DNSSEC and DANE for your domain: yes, maybe my desire to prefer ECDSA was/is not worth of effort - at last, I just wanted to be used more - but it roll into nice discussion anyways > > http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 > https://www.ietf.org/mail-archive/web/uta/current/msg01498.html > https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 > https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ > https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 > http://tools.ietf.org/html/rfc7671#section-8.1 > http://tools.ietf.org/html/rfc7671#section-8.4 > http://dane.sys4.de/common_mistakes > thanks for the reference - i am tight to AWS R53 with some features > That makes a real difference, while it is far from clear whether ECDSA is > actually more or less secure than RSA. Of course deploying DANE means > getting the operational details right: > > * Monitoring of TLSA record validity (match the actual server cert chain) > * Monitoring of DNSSEC DS/DNSKEY records and signature non-expiration > * Reliable key rotation > * … running good SMTP server is a serious job but also compelling > > This takes some skill to get right. > > -- > Viktor. > _ Zbyszek Żółkiewski |
In reply to this post by Phil Stracchino
On 2017-04-13 (08:54 MDT), Phil Stracchino <[hidden email]> wrote:
> > From today's log only (the rest are compressed): bzgrep "TLS connection established from.*with cipher” \ /var/log/maillog.{0..14}.bz2 | \ awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ sort | uniq -c | sort -rn -- Apple broke AppleScripting signatures in Mail.app, so no random signatures. |
In reply to this post by Viktor Dukhovni
On 2017-04-13 (11:21 MDT), Viktor Dukhovni <[hidden email]> wrote:
> > smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 I have these, but also LOW, EXPORT, and RC4. Are these not needed? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures. |
On 2017-04-19 13:33:13 (+0200), @lbutlr <[hidden email]> wrote:
> On 2017-04-13 (11:21 MDT), Viktor Dukhovni > <[hidden email]> wrote: >> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, >> RC5 > > I have these, but also LOW, EXPORT, and RC4. Are these not needed? That depends on the versions of Postfix and OpenSSL on your system and on how much you care about interoperability. While RC4-MD5 should no longer be used for anything, there are still a lot of mailservers out there that don't know any better. When you don't offer them RC4-MD5, they will fall back to plain text. Even RC4-MD5 is better than that. In general, you should probably leave this setting alone unless you have a very specify reason to change it. And even then, you will likely be better served with an entry in `smtp_tls_policy_maps` overriding the default for a specific destination. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information |
> On Apr 19, 2017, at 7:45 AM, Philip Paeps <[hidden email]> wrote: > >>> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 >> >> I have these, but also LOW, EXPORT, and RC4. Are these not needed? Reasonably current Postfix releases have "smtp_tls_ciphers = medium", which already excludes LOW and EXPORT. As for RC4, I've not seen any RC4-only systems for some time. I was thinking of removing RC4 in Postfix this year, but given that it is being disabled at compile-time in the latest OpenSSL, and that the bias in the first 256 bytes of output is not a major issue for SMTP, I'm inclined to let RC4 fade away over time as users upgrade OpenSSL. -- Viktor. |
Free forum by Nabble | Edit this page |