> As some test suite recommendations might be harsher than what is practical I thought I'd check with the people who actually work on Postfix.
> 1) some test sites say TLS 1.0 should be disabled for NIST compliance. Is that recommended? What about 1.1?
The devices will negotiate the best possible encryption available to both. If you disable TLS 1.0 (or even SSL) you risk defaulting to plain text. (The definition of “best” in above is an open issue.)
> 2) is there a page that has up-to-date recommendations on this and items like cipher list settings from the Postfix maintenaners.
Wietse and Viktor are very meticulous with the defaults. Unless you have some very specific requirements or knowledge, I doubt you will improve the security by changing the settings.
On Thu, May 14, 2020 at 12:56:46PM -0400, Ian Evans wrote:
> As some test suite recommendations might be harsher than what is practical
> I thought I'd check with the people who actually work on Postfix.
The most important question is: are you talking about mandatory or
opportunistic TLS. All the tests I've seen only make sense for
Mandatory TLS is used for mail submission from your own clients. For
connections by your own clients you can require whatever settings you
desire, even TLS 1.3 only if they are recent enough, not that I would
recommend this just yet.
However connections from and to the rest of the SMTP world mostly uses
opportunistic TLS, with the notable exception of DANE (or STS)
authenticated connections. If the client can't use TLS, it will just
fallback to plaintext connections. So requiring too strict settings
will just force the mail to be delivered via a plaintext connection and
you've lost the protection even TLS 1.0 can provide you with.
> 1) some test sites say TLS 1.0 should be disabled for NIST compliance. Is
> that recommended? What about 1.1?
TLS 1.0 and 1.1 are not broken, so you should not disable them for
Beam me up, Scotty, there's no intelligent life down here!
I think it is a fundamental question on what your goal is: To send/receive mail under any circumstance or force a minimum security level.
With that it is important to distinguish between receiving mail and sending. The issue with leaving every old option available is, that broken tls versions or plain text do not go away that way. Only if some pressure on admins is building to secure their servers, it will change.
Most notice pressure by seeing that more and more traffic gets encrypted or mail could not be delivered. Hence you can start by increasing the settings in outgoing. If you feel comfortable and if you want to enforce a minimum security level, change the incoming stuff as well.
But again it is a fundamental question on what is more important for you (if you can make that decision).
Personally I follow the dutch guides under internet.nl, but I have a personal E-Mail server. All I can say: For the last 10 years I did not have any troubles with stricter settings, more with SPAM rejections...
Am Donnerstag, den 14.05.2020, 20:33 +0300 schrieb Petri Riihikallio:
If you are curious about the defaults in your Postfix use