Am 14.08.2013 11:51, schrieb Jochen Fahrner via postfix-users:

Wie läuft eigentlich unter Mailservern die TLS Ciper Aushandlung ab?

Habe ich als Server oder Client die Möglichkeit zu sagen: "wir nehmen den strengst möglichen den wir beide unterstützen"?

so wie ich das verstehe kommt postfix mit fuer die Realitaet sinnvollen Voreinstellungen, die du selbst nach belieben aendern kannst, mit dme Risiko das eine Verbindung je nachdem dann gar nicht mehr moeglich ist, zb weil dein Partner eine "defekte" ssl Implementation hat etc

http://www.postfix.org/TLS_README.html

Server-side cipher controls

The Postfix SMTP server supports 5 distinct cipher security levels as specified by the smtpd_tls_mandatory_ciphers configuration parameter, which determines the cipher grade with mandatory TLS encryption. The default value is "medium" which is essentially 128-bit encryption or better. With opportunistic TLS encryption, the minimum accepted cipher grade is typically "export". The corresponding smtpd_tls_ciphers parameter (Postfix ≥ 2.6) controls the cipher grade used with opportunistic TLS.

By default anonymous ciphers are enabled. They are automatically disabled when remote SMTP client certificates are requested. If clients are expected to always verify the Postfix SMTP server certificate you may want to disable anonymous ciphers by setting "smtpd_tls_mandatory_exclude_ciphers = aNULL" or "smtpd_tls_exclude_ciphers = aNULL", as appropriate. One can't force a remote SMTP client to check the server certificate, so excluding anonymous ciphers is generally unnecessary.

The "smtpd_tls_ciphers" configuration parameter (Postfix ≥ 2.6) provides control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always "export".

With mandatory TLS encryption, the Postfix SMTP server will by default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.

Note that the OpenSSL library only supports protocol exclusion (not inclusion). For this reason, Postfix can exclude only protocols that are known at the time the Postfix software is written. If new protocols are added to the OpenSSL library, they cannot be excluded without corresponding changes to the Postfix source code.

f you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH) key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead of using the built-in DH parameters for both 1024-bit (non-export ciphers) and 512-bit (export ciphers), it is better to generate your own parameters, since otherwise it would "pay" for a possible attacker to start a brute force attack against parameters that are used by everybody. Postfix defaults to compiled-in parameters that are shared by all Postfix users who don't generate their own settings.

To generate your own set of DH parameters, use:

% openssl gendh -out /etc/postfix/dh_512.pem -2 512 % openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

Support for elliptic curve cryptography is available with Postfix 2.6 and OpenSSL 1.0.0 or later. To enable ephemeral elliptic curve Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade = strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is substantially more CPU intensive, and "strong" is sufficiently secure for most situations.

Examples:

/etc/postfix/main.cf: smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem # Postfix ≥ 2.6: smtpd_tls_eecdh_grade = strong

Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. This is possible only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a list supplied by the server.

By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server may choose its own most preferred cipher that is supported (offered) by the client. Setting "tls_preempt_cipherlist = yes" enables server cipher preferences. The default OpenSSL behavior applies with "tls_preempt_cipherlist = no".

While server cipher selection may in some cases lead to a more secure or performant cipher choice, there is some risk of interoperability issues. In the past, some SSL clients have listed lower priority ciphers that they did not implement correctly. If the server chooses a cipher that the client prefers less, it may select a cipher whose client implementation is flawed.

Best Regards MfG Robert Schetterer

* Jochen Fahrner via postfix-users jf@fahrner.name:

Wie läuft eigentlich unter Mailservern die TLS Ciper Aushandlung ab?

Schwer, je nach SSLv2/3 oder TLSv1 ist das unterschiedlich!

By default, the OpenSSL server selects the client's most preferred cipher that the server supports.

Aber der Client kann auch was anderes, unsicheres wählen.

With SSLv3 and later, the server may choose its own most preferred cipher that is supported (offered) by the client.

Das klingt besser.

Setting "tls_preempt_cipherlist = yes" enables server cipher preferences. The default OpenSSL behavior applies with "tls_preempt_cipherlist = no".

Ich gebe zu, dass ich aktuell "tls_preempt_cipherlist = no" habe...