From: Alex on
Hi,

I have an existing old postfix TLS server set up and working
successfully. It was created several years ago and has been working
fine ever since.I'm wondering what the benefits would be with
upgrading? In other words, I realize I can only support SSLv2, but are
there other security designs and technologies that I would be
encouraged to be able to support?

What encryption/cipher/key length, session key options, etc, choices
should I be making if I were to do this today?

Under what circumstances would you want to choose only TLSv1 and not
SSLv3 and TLSv1?

Many of the HOWTOs and guides out there that I could find all pertain
to older versions of postfix. Any word on when Ralph will be updating
his book? :-) Is there a book you could recommend that covers
SSLv3/TLSv1 and later versions of postfix?

Thanks,
Alex

From: Eray Aslan on
On 02.03.2010 06:09, Alex wrote:
> What encryption/cipher/key length, session key options, etc, choices
> should I be making if I were to do this today?

That is dificult to say without knowing what you are trying to protect,
your threat model etc. If in doubt, go with the defaults.

> Under what circumstances would you want to choose only TLSv1 and not
> SSLv3 and TLSv1?

AFAIK, differences between TLSv1 and SSLv3:
* Expansion of cryptographic keys from the initially exchanged secret
was improved
* MAC construction mechanism modified into an HMAC
* Mandatory support for Diffie-Hellman key exchange, the Digital
Signature Standard, and Triple-DES encryption

In practice, not much of a difference.

> Many of the HOWTOs and guides out there that I could find all pertain
> to older versions of postfix. Any word on when Ralph will be updating
> his book? :-) Is there a book you could recommend that covers
> SSLv3/TLSv1 and later versions of postfix?

http://www.postfix.org/TLS_README.html

Do not change the defaults without understanding the implications.
Postfix defaults are not chosen randomly.

--
Eray

From: Victor Duchovni on
On Mon, Mar 01, 2010 at 11:09:08PM -0500, Alex wrote:

> I have an existing old postfix TLS server set up and working
> successfully. It was created several years ago and has been working
> fine ever since.

You don't have to upgrade Postfix.

> I'm wondering what the benefits would be with
> upgrading? In other words, I realize I can only support SSLv2,

Most unlikely. I am not aware of any legacy versions of Postfix that
support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
support is sufficiently modern and robust.

> but are there other security designs and technologies that I would be
> encouraged to be able to support?

You should however upgrade OpenSSL to at least 0.9.8m, as many OpenSSL
security issues have been addressed in the mean-time.

If you legacy Postfix is linked with OpenSSL 0.9.7x, then and only then
do you need to upgrade both (re-compile Postfix with OpenSSL 0.9.8).

OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
strongly recommend OpenSSL 1.0.0 over 0.9.8.

> What encryption/cipher/key length, session key options, etc, choices
> should I be making if I were to do this today?

Use the default settings.

> Under what circumstances would you want to choose only TLSv1 and not
> SSLv3 and TLSv1?

Use the default settings. With sufficiently recent versions of Postfix
the default is to disable SSLv2 in the SMTP client:

smtp_tls_protocols = !SSLv2

if your Postfix supports this parameter, it already defaults to this
value.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Alex on
Hi,

> Most unlikely. I am not aware of any legacy versions of Postfix that
> support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
> support is sufficiently modern and robust.

I'm not happy saying that it's probably older than that.

> OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
> strongly recommend OpenSSL 1.0.0 over 0.9.8.

Will it be compatible with other programs compiled against 0.9.*?

>> What encryption/cipher/key length, session key options, etc, choices
>> should I be making if I were to do this today?
>
> Use the default settings.

How can I found out what those defaults are? Is this what I should
expect to see on a modern implementation?

Mar 1 00:00:39 smtp0 postfix/smtp[6676]: TLS connection established
to smtp.mydomain.com TLSv1 wit
h cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)

Is that a characteristic of the certificate that was created or how
postfix was compiled or otherwise?

Thanks,
Alex

From: Victor Duchovni on
On Tue, Mar 02, 2010 at 01:15:17PM -0500, Alex wrote:

> > Most unlikely. I am not aware of any legacy versions of Postfix that
> > support only SSLv2. Provided you have Postfix 2.3 or later, the TLS
> > support is sufficiently modern and robust.
>
> I'm not happy saying that it's probably older than that.

Older versions of Postfix still support SSLv3 and TLSv1, but the TLS
code in Postfix in those releases has some warts, so if you want more
than opportunistic TLS support, you need 2.3 or later.

> > OpenSSL 1.0.0 will be released shortly, if you wait a bit, I would
> > strongly recommend OpenSSL 1.0.0 over 0.9.8.
>
> Will it be compatible with other programs compiled against 0.9.*?

Source-compatible: yes. Binary-compatible: no. Code needs to be
re-compiled to run with OpenSSL 1.0.0.

> >> What encryption/cipher/key length, session key options, etc, choices
> >> should I be making if I were to do this today?
> >
> > Use the default settings.
>
> How can I found out what those defaults are? Is this what I should
> expect to see on a modern implementation?

Postfix settings are documented in postconf(5). Unless you are an SSL
expert who understands OpenSSL source code in detail, you really should
not change the default settings, and generally don't need to know what
they are.

> Mar 1 00:00:39 smtp0 postfix/smtp[6676]: TLS connection established
> to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
>
> Is that a characteristic of the certificate that was created or how
> postfix was compiled or otherwise?

The remote system or your OpenSSL library or both do not support AES.
AES support in OpenSSL was added in OpenSSL 0.9.7. If you have OpenSSL
0.9.6, you lack modern ciphers and have a bunch of unfixed SSL security
issues.

Bulk encryption cipher-suites have only a tangential connection to
certificates. The same certificate would have worked with AES256,
if both sides supported it.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.