4

I would like to force a own set of TLS cipher suites rather than use the Postfix built in ones.

My desired set of ciphers is (taken from nginx configuration):

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Unfortunately I cannot find a reference to override the cipher suites. I found notices that it is possible but not how.

How would look like the equivalent Postfix configuration for smtp and smtpd?

Using Debian/7, Postfix/2.11.2, OpenSSL/1.0.1e

burnersk
  • 2,056
  • 5
  • 27
  • 39
  • 3
    **Don't do this.** You will actually reduce the security of your email in transit. The reason is that if another mail server that speaks to yours doesn't support any of the ciphers you have specified, then TLS will fail entirely. The message will then be sent with _no_ encryption, rather than simply _weak_ crypto. – Michael Hampton Feb 21 '15 at 10:12
  • 1
    Probably worse than that. Failing within the TLS handshake causes MTAs like sendmail to try later again with the same settings, so that they fail again. They will not retry with downgraded settings. At the end the delivery will permanently fail. – Steffen Ullrich Feb 21 '15 at 12:53

3 Answers3

10

From Applied Crypto Hardening by bettercrypto.org:

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

[UPDATE: As the bettercrypto project, where I have the cipher-string from, is no longer active, make sure to chose your cipher-string from a current source.]

For master.cf you may want to configure the submission port to TLS only:

submission inet n - - - - smtpd
 -o smtpd_tls_security_level=encrypt
 -o tls_preempt_cipherlist=yes

[UPDATE: For TLS 1.3 less ciphers are available and the resulting cipher differs from those for TLS <= 1.2. The good news is, that only secure ciphers are allowed. More details here: https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites]

However, this does not disallow usage of outdated ciphers for security level may, according to pull request #97, you can do this with:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

But this has not been merged with the following reason:

I am going to close this, SSLv3 makes sense here since it's better than good ol' plaintext.

sebix
  • 4,313
  • 2
  • 29
  • 47
  • 3
    Additional info taken from [this page](https://tribut.de/blog/secure-your-services-using-sane-cipher-ordering/) by Felix Eckhofer: "Postfix has five internal lists of ciphers **that the authors suggest should not be changed**. ... You have a choice between (from most to least secure) **high**, **medium**, **low**, **export** and **null**. Check the output of `postconf -`d for the parameters `tls_high_cipherlist`, `tls_medium_cipherlist` and so on to see which ciphers are in which list." – masegaloeh Feb 21 '15 at 10:40
  • Thanks for this information, should include that in the document :) – sebix Feb 21 '15 at 10:58
3

man postconf says "You are strongly encouraged to not change this setting."

Nevertheless, you can, like this:

smtp_tls_security_level = encrypt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers=high
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

I assume this is experimental and you're not worried about mail flow from most MTAs. Check for "handshake failure" in the postfix logs. I'd suggest testing with smtp_ outgoing first so you can see what's in the queue and any local nginx-generated SMTP sessions shouldn't fail.

Cedric Knight
  • 1,108
  • 7
  • 20
  • This enforces usage of TLS, if the other device does not support it, mail delivery fails. Unfortunately there are many mail sending servers out in the internet which do not support TLS at all for various but inexplicable reasons. – sebix Feb 21 '15 at 10:57
  • 1
    True. As I say I was assuming the questioner was not worried about all MTAs and was checking logs and queues, otherwise they wouldn't be limiting ciphers. If you choose smtp_tls_security_level = may, then also set "smtp_tls_protocols" and "smtp_tls_protocols", and see the header for (E)SMTPS to verify security. Using smtp_tls_loglevel = 1 I can see this cipher list successfully negotiates TLS1.2 and ECDHE-RSA-A ES128-GCM-SHA256 with Yahoo MXs. – Cedric Knight Feb 21 '15 at 11:07
  • s/smtp_tls_protocols/smtp_tls_ciphers/ – Cedric Knight Feb 21 '15 at 11:13
0

It is well documented. From http://www.postfix.org/TLS_README.html#server_cipher

smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
Steffen Ullrich
  • 13,227
  • 27
  • 39
  • I want to use my own cipher suites and not some suites which I have to look for in source codes. – burnersk Feb 21 '15 at 10:00
  • In case it is not clear for you from reading the documentation. The settings are the ciphers as available by openssl, same as with nginx. – Steffen Ullrich Feb 21 '15 at 12:50