[postfix-users] TLS Cipher Aushandlung

Robert Schetterer via postfix-users postfix-users at de.postfix.org
Mi Aug 14 12:11:26 CEST 2013 

Am 14.08.2013 11:51, schrieb Jochen Fahrner via postfix-users:
> Wie läuft eigentlich unter Mailservern die TLS Ciper Aushandlung ab?
> 
> Habe ich als Server oder Client die Möglichkeit zu sagen: "wir nehmen
> den strengst möglichen den wir beide unterstützen"?
> 

so wie ich das verstehe kommt postfix mit fuer die Realitaet
sinnvollen Voreinstellungen, die du selbst nach belieben aendern kannst,
mit dme Risiko das eine Verbindung je nachdem dann gar nicht mehr
moeglich ist, zb weil dein Partner eine "defekte" ssl Implementation hat etc

http://www.postfix.org/TLS_README.html

Server-side cipher controls

The Postfix SMTP server supports 5 distinct cipher security levels as
specified by the smtpd_tls_mandatory_ciphers configuration parameter,
which determines the cipher grade with mandatory TLS encryption. The
default value is "medium" which is essentially 128-bit encryption or
better. With opportunistic TLS encryption, the minimum accepted cipher
grade is typically "export". The corresponding smtpd_tls_ciphers
parameter (Postfix ≥ 2.6) controls the cipher grade used with
opportunistic TLS.

By default anonymous ciphers are enabled. They are automatically
disabled when remote SMTP client certificates are requested. If clients
are expected to always verify the Postfix SMTP server certificate you
may want to disable anonymous ciphers by setting
"smtpd_tls_mandatory_exclude_ciphers = aNULL" or
"smtpd_tls_exclude_ciphers = aNULL", as appropriate. One can't force a
remote SMTP client to check the server certificate, so excluding
anonymous ciphers is generally unnecessary.

The "smtpd_tls_ciphers" configuration parameter (Postfix ≥ 2.6) provides
control over the minimum cipher grade for opportunistic TLS. With
Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
"export".

With mandatory TLS encryption, the Postfix SMTP server will by default
disable SSLv2. SSLv2 is used only when TLS encryption is optional. The
mandatory TLS protocol list is specified via the
smtpd_tls_mandatory_protocols configuration parameter. The corresponding
smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS
protocols used with opportunistic TLS.

Note that the OpenSSL library only supports protocol exclusion (not
inclusion). For this reason, Postfix can exclude only protocols that are
known at the time the Postfix software is written. If new protocols are
added to the OpenSSL library, they cannot be excluded without
corresponding changes to the Postfix source code.


f you want to take advantage of ciphers with ephemeral Diffie-Hellman
(EDH) key exchange (this offers "forward-secrecy"), DH parameters are
needed. Instead of using the built-in DH parameters for both 1024-bit
(non-export ciphers) and 512-bit (export ciphers), it is better to
generate your own parameters, since otherwise it would "pay" for a
possible attacker to start a brute force attack against parameters that
are used by everybody. Postfix defaults to compiled-in parameters that
are shared by all Postfix users who don't generate their own settings.

To generate your own set of DH parameters, use:

    % openssl gendh -out /etc/postfix/dh_512.pem -2 512
    % openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

Support for elliptic curve cryptography is available with Postfix 2.6
and OpenSSL 1.0.0 or later. To enable ephemeral elliptic curve
Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade =
strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is
substantially more CPU intensive, and "strong" is sufficiently secure
for most situations.

Examples:

    /etc/postfix/main.cf:
        smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
        smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
        # Postfix ≥ 2.6:
        smtpd_tls_eecdh_grade = strong

Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list.
This is possible only with SSLv3 and later, as in SSLv2 the client
chooses the cipher from a list supplied by the server.

By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server may
choose its own most preferred cipher that is supported (offered) by the
client. Setting "tls_preempt_cipherlist = yes" enables server cipher
preferences. The default OpenSSL behavior applies with
"tls_preempt_cipherlist = no".

While server cipher selection may in some cases lead to a more secure or
performant cipher choice, there is some risk of interoperability issues.
In the past, some SSL clients have listed lower priority ciphers that
they did not implement correctly. If the server chooses a cipher that
the client prefers less, it may select a cipher whose client
implementation is flawed.

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Mehr Informationen über die Mailingliste postfix-users