Quantcast

TLS security rules - perfect setup and issue with anonymous cipher

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS security rules - perfect setup and issue with anonymous cipher

Zalezny Niezalezny
Hi,

first of all I would like to say "thank You" for the answers on my previous questions. I read all of them, they were helpful but I missed to say "BIG THANKS!"


I have a security question. My Postfix 2.10.1 Server TLS configuration looks like this at the moment.


#TLS Server configuration
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/ssl/2017.cer
smtpd_tls_key_file = /etc/postfix/ssl/2017.key


One time per month some external company doing security scan on all Postfix instances. Last time there was a big discussion about anonymous Ciphers.

Do I need to disable them ?

What else should I configured for public server ?
Maybe somebody will be so kind and paste here some perfect, working TLS configuration for public server ?



Cheers

Zalezny


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS security rules - perfect setup and issue with anonymous cipher

Viktor Dukhovni

> On May 5, 2017, at 7:07 AM, Zalezny Niezalezny <[hidden email]> wrote:
>
> I have a security question. My Postfix 2.10.1

Postfix 3.2, 3.1, 3.0 and 2.11 are all available.

   http://cdn.postfix.johnriley.me/mirrors/postfix-release/index.html

while Postfix 2.10 is no longer supported.  If you want to keep up with
best practice, upgrade.


> Server TLS configuration looks like this at the moment.
>
> #TLS Server configuration
> smtpd_tls_security_level = may
> smtpd_tls_cert_file = /etc/postfix/ssl/2017.cer
> smtpd_tls_key_file = /etc/postfix/ssl/2017.key

You should have, if not already default values with your 2.10.1
(with some vendor patch backports?) Postfix release:

        smtpd_tls_protocols = !SSLv2, !SSLv3
        smtpd_tls_ciphers = medium
        smtp_tls_protocols = !SSLv2, !SSLv3
        smtp_tls_ciphers = medium

        smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
        smtpd_tls_mandatory_ciphers = medium
        smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
        smtp_tls_mandatory_ciphers = medium

Some people add:

        smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

to trim obsolete baggage from the list of ciphers offered by the SMTP client
to remote servers.  This can actually improve interoperability in some edge cases,
and should not cause any loss of ability to negotiate TLS with remote systems.
That said, this is not required.  You can, if you wish, include RC4 in that list,
but it is not as bad as it is made out to be, and would only be negotiated when
nothing else better is available, almost all systems prefer AES these days, when
available.

> One time per month some external company doing security scan on all Postfix instances. Last time there was a big discussion about anonymous Ciphers.
>
> Do I need to disable them ?

No. See https://tools.ietf.org/html/rfc7672#section-8.2

> What else should I configured for public server?

Not much.  TLS in SMTP is opportunistic and unauthenticated in the vast majority
of cases.  Therefore, liberal settings, considered "insecure" in some quarters are
entirely appropriate.

> Maybe somebody will be so kind and paste here some perfect, working TLS configuration for public server?

There's no such thing as "perfect", but speaking of "perfect" see

   http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start

with Postfix >= 3.2 leave "smtpd_tls_eecdh_grade = auto" in place, that's better
than choosing a fixed "curve" (Diffie Hellman group of the "elliptic curve" kind).

Also make sure your OpenSSL runtime is up to date.  OpenSSL 1.0.1 and earlier are
no longer supported, so use a system with 1.0.2 or 1.1.0 patched up to date.

--
        Viktor.

Loading...