Discussion:
problems strengthening ssl config in postfix
(too old to reply)
r***@gmail.com
2014-03-25 21:59:10 UTC
Permalink
Hello All,

I'm having some trouble hardening my ssl config in postfix (2.10.2).

in main.conf I have the following:

smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_eecdh_grade = strong

but these mandatory config options are not being enforced:

http://pastebin.com/2GehRN2R

If I change smtpd_tls_security_level from may to encrypt, the mandatory config
options are immediately enforced:

http://pastebin.com/Tmr7igBz

Does anyone know why "smtpd_tls_security_level = may" doesn't seem to work
with the mandatory ciphers/protocols?

Thanks.
Burkhard Ott
2014-03-26 01:43:59 UTC
Permalink
Post by r***@gmail.com
Hello All,
I'm having some trouble hardening my ssl config in postfix (2.10.2).
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers =
aNULL, MD5 smtpd_tls_security_level = may smtpd_tls_mandatory_protocols
= !SSLv2 smtpd_tls_eecdh_grade = strong
Did you define tls_high_cipherlist?
You may also define
smtpd_tls_dh1024_param_file,smtpd_tls_dh512_param_file depending on your
algorythms.

cheers
r***@gmail.com
2014-03-26 19:24:08 UTC
Permalink
Post by Burkhard Ott
Post by r***@gmail.com
Hello All,
I'm having some trouble hardening my ssl config in postfix (2.10.2).
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers =
aNULL, MD5 smtpd_tls_security_level = may smtpd_tls_mandatory_protocols
= !SSLv2 smtpd_tls_eecdh_grade = strong
Did you define tls_high_cipherlist?
You may also define
smtpd_tls_dh1024_param_file,smtpd_tls_dh512_param_file depending on your
algorythms.
cheers
No i did not define any of these. Is it required?
Burkhard Ott
2014-03-28 03:28:10 UTC
Permalink
Post by r***@gmail.com
Post by Burkhard Ott
Post by r***@gmail.com
Hello All,
I'm having some trouble hardening my ssl config in postfix (2.10.2).
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers =
aNULL, MD5 smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols
= !SSLv2 smtpd_tls_eecdh_grade = strong
Did you define tls_high_cipherlist?
You may also define
smtpd_tls_dh1024_param_file,smtpd_tls_dh512_param_file depending on your
algorythms.
cheers
No i did not define any of these. Is it required?
If you want to use another than the default one, yes.

e.g:

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA +
AESGCM .....

Have a look at sslv3, not sure if you really want something like
SSL_RSA_WITH_NULL_MD5 :)

https://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_
Loading...