TLS not offered by host

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS not offered by host

@lbutlr
When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt

and

tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

--
Angie, Angie, when will those clouds all disappear?
Angie, Angie, where will it lead us from here?
With no lovin' in our soul and no money in our coats You can't say we're satisfied
But Angie, Angie--You can't say we never tried

Reply | Threaded
Open this post in threaded view
|

Re: TLS not offered by host

Viktor Dukhovni


> On Aug 1, 2018, at 1:49 PM, @lbutlr <[hidden email]> wrote:
>
> When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

There's no universal notion of "level of security".  The cipher grades
defined by OpenSSL and supported by Postfix involve some human judgement
about safety of the boundary cases and may change over time.

> status=deferred (TLS is required, but was not offered by host

Here, the "level" is "none".  The remote site did not support STARTTLS.

> (I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

In this case "none".

> my smtp_tls* settings:
> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
> smtp_tls_loglevel = 1
> smtp_tls_security_level = encrypt

The last of these is too strict as a default for all domains.  The
sensible settings are either "may", or if you have a local (loopback)
validating resolver, "dane" (see TLS_README for details).

> tls_preempt_cipherlist = yes
> tls_ssl_options = no_ticket, no_compression

Why do you disable session tickets?

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS not offered by host

@lbutlr
On 1 Aug 2018, at 11:59, Viktor Dukhovni <[hidden email]> wrote:
>> status=deferred (TLS is required, but was not offered by host
>
> Here, the "level" is "none".  The remote site did not support STARTTLS.

Ah. Yes, that makes sense, it just didn't occur to me a server in 2018 would do that, I figured it just had crappy security levels. Thanks.

>> smtp_tls_security_level = encrypt
>
> The last of these is too strict as a default for all domains.

Yes, probably, but on the other hand, two servers in the last week, and one of those is a 'web board reply" discourse email, and those are janky at the best of times anyway.

> The sensible settings are either "may", or if you have a local (loopback)
> validating resolver, "dane" (see TLS_README for details).
>
>> tls_preempt_cipherlist = yes
>> tls_ssl_options = no_ticket, no_compression
>
> Why do you disable session tickets?

There was a reason, I think. But most of these settings have been there for years, so I should revise that. I want to say it was a recommendation from dovecot list? (I last modified main.conf when I moved to postfix 3.x.

<adds it to the list>

--
Silence filled the University in the same way that air fills a hole.
Night spread across the Disk like plum jam, or possibly blackberry
preserve. But there would be a morning. There would always be another
morning. --Sourcery

Reply | Threaded
Open this post in threaded view
|

Re: TLS not offered by host

Viktor Dukhovni


> On Aug 1, 2018, at 2:22 PM, @lbutlr <[hidden email]> wrote:
>
>>> tls_preempt_cipherlist = yes
>>> tls_ssl_options = no_ticket, no_compression
>>
>> Why do you disable session tickets?
>
> There was a reason, I think. But most of these settings have been there for years, so I should revise that. I want to say it was a recommendation from dovecot list? (I last modified main.conf when I moved to postfix 3.x.

Don't disable session tickets with Postfix >= 2.11.  In sufficiently
recent patch levels of Postfix 2.7 (>= 2.7.15), 2.8 (>= 2.8.16), 2.9 (>= 2.9.8)
and 2.10 (>= 2.10.2) session tickets are disabled automatically.  So you
only need this in Postfix <= 2.6 or stale versions of 2.7--2.10.

--
        Viktor.