Update to recommended TLS settings

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Update to recommended TLS settings

Micah Anderson-2

In 2015, Viktor wrote an email detailing the current recommended TLS
settings[0].

Now that we are three years later, are these still the best settings? Is
there something better we can be recommending?

If anything, I think that 'smtp_tls_security_level = may' should be
recommended (it actually should be *default*), but I'm wondering about
the other recommended ciphers/protocols/excludes etc. as well.

thanks!

--
        micah

0. http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html
Reply | Threaded
Open this post in threaded view
|

Re: Update to recommended TLS settings

Viktor Dukhovni


> On Jun 15, 2018, at 8:28 AM, micah anderson <[hidden email]> wrote:
>
> In 2015, Viktor wrote an email detailing the current recommended TLS
> settings[0].
>
> Now that we are three years later, are these still the best settings? Is
> there something better we can be recommending?
>
> If anything, I think that 'smtp_tls_security_level = may' should be
> recommended (it actually should be *default*), but I'm wondering about
> the other recommended ciphers/protocols/excludes etc. as well.

There's nothing in that post that has yet been subject to much bitrot.
You could probably disable RC4 at this point, it is by default gone
as an SSL cipher from OpenSSL 1.1.0 and later, or leave it on for
interoperability with an tiny fraction of obsolete Windows 2003
systems.

I hope to modernize the OpenSSL supporting code this year, perhaps
I'll have new recommendations for Postfix 3.4 in 2019.  The idea
will be to accommodate TLS 1.3, Ed25519, support SNI on the server
side, and on the client side also when not using DANE, ...

--
        Viktor.