Postfix TLS requirements
in [Postfix]
|
From: Alex on 2 Mar 2010 14:42 Hi, > Postfix settings are documented in postconf(5). Unless you are an SSL > expert who understands OpenSSL source code in detail, you really should > not change the default settings, and generally don't need to know what > they are. So is it at OpenSSL compile time that the ciphers would be specified and determined whether or not to make them available to postfix? Then when postfix is built, it is able to interpret at that time how to integrate and make available the ciphers provided to it by OpenSSL? > to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits) The 168/168 is a reference to the session key, correct? Configured for tlsmgr at run-time? > The remote system or your OpenSSL library or both do not support AES. Okay, can I draw the conclusion that the cipher shown is the "strongest" available on either the remote or local system? It's not possible to figure out which ciphers are offered to TLS clients on my server? Thanks so much. Best regards, Alex
From: Victor Duchovni on 2 Mar 2010 15:23 On Tue, Mar 02, 2010 at 02:42:37PM -0500, Alex wrote: > > Postfix settings are documented in postconf(5). Unless you are an SSL > > expert who understands OpenSSL source code in detail, you really should > > not change the default settings, and generally don't need to know what > > they are. > > So is it at OpenSSL compile time that the ciphers would be specified > and determined whether or not to make them available to Postfix? Largely yes, but this sounds like the wrong question. What real problem are you trying to solve? > Then when postfix is built, it is able to interpret at that time how to > integrate and make available the ciphers provided to it by OpenSSL? > > > to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits) > > The 168/168 is a reference to the session key, correct? Configured for > tlsmgr at run-time? No. > > The remote system or your OpenSSL library or both do not support AES. > > Okay, can I draw the conclusion that the cipher shown is the > "strongest" available on either the remote or local system? Yes, the strongest supported by both subject to the preference order of the server or the client at the server's discretion. > It's not > possible to figure out which ciphers are offered to TLS clients on my > server? It is possible, but you will most likely shoot yourself in the foot if you try to use this information to adjust Postfix settings. The Postfix defaults are chosen carefully, and act a barrier between shotgun and foot. What real problem are you trying to solve. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Alex on 2 Mar 2010 16:04 Hi, >> It's not >> possible to figure out which ciphers are offered to TLS clients on my >> server? > > It is possible, but you will most likely shoot yourself in the foot if > you try to use this information to adjust Postfix settings. > > The Postfix defaults are chosen carefully, and act a barrier between > shotgun and foot. What real problem are you trying to solve. Well, I'm now really just trying to better understand what it all means. I'm sure to think I could do a better job than postfix itself would be a mistake. Where did postfix get the information to make its decision? I don't see how it put together that chain of encryption and authentication to build the tunnel. Thanks, Alex
From: Victor Duchovni on 2 Mar 2010 16:14 On Tue, Mar 02, 2010 at 04:04:29PM -0500, Alex wrote: > >> It's not > >> possible to figure out which ciphers are offered to TLS clients on my > >> server? > > > > It is possible, but you will most likely shoot yourself in the foot if > > you try to use this information to adjust Postfix settings. > > > > The Postfix defaults are chosen carefully, and act a barrier between > > shotgun and foot. What real problem are you trying to solve. > > Well, I'm now really just trying to better understand what it all > means. I'm sure to think I could do a better job than postfix itself > would be a mistake. Postfix selects sensibly strong protocols and ciphers for opportunistic and mandatory TLS respectively. > Where did postfix get the information to make its decision? The documentation is in TLS_README.html The OpenSSL library implements a (powerful, but fragile) cipher selection language. Postfix uses the OpenSSL cipher selection language with care to implement less flexible, but more robust/intuitive cipher "grade" levels and selects the grade automatically based on the destination policy. > I don't > see how it put together that chain of encryption and authentication to > build the tunnel. Avoiding all temptation to tweak the underlying SSL details and work with the higher level Postfix interface: http://www.postfix.org/TLS_README.html#client_tls_limits http://www.postfix.org/TLS_README.html#client_tls_levels http://www.postfix.org/TLS_README.html#client_tls_may http://www.postfix.org/TLS_README.html#client_tls_encrypt http://www.postfix.org/TLS_README.html#client_tls_secure http://www.postfix.org/TLS_README.html#client_tls_policy -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Alex on 3 Mar 2010 10:38
Hi, > The OpenSSL library implements a (powerful, but fragile) cipher selection > language. Postfix uses the OpenSSL cipher selection language with care to > implement less flexible, but more robust/intuitive cipher "grade" levels > and selects the grade automatically based on the destination policy. I have a much better understanding now. Thanks so much for your help. I've got quite a bit of reading ahead of me. Best regards, Alex |