On Fri, Feb 20, 2015 at 08:01:09PM +0100, Andreas Fink wrote:
How about support (as a fallback) for older clients? How "safe" (no pun intended) is it to disable as of today?
Its simple: fallback = a MITM attacker can force fallback = youre pwned...
Depends on what one one means by "fallback". When RC4 is enabled at a low preference MITM attackers cannot re-order the handshake without invalidating the TLS "finished" message.
I should be noted that, occasional bilateral security arrangements aside, MTA to MTA SMTP is generally vulnerable to MiTM attacks regardless of whether RC4 is enabled or not.
With DANE, SMTP client MTAs can also authenticate servers for which no prior security settings exist, and in *that* case we have a fairly MiTM resistant protocol.
In Postfix for peers that publish TLSA RRs, the "mandatory" TLS protocol, cipher and exclusion lists apply.
By all means, try:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_exclude_ciphers = RC4
If there are any domains that publish TLSA records for an SMTP server that is capable only of legacy crypto, both they and I will be surprised.