2

Three questions:

  1. Correct me if I'm wrong:
    smtpd_tls_mandatory_ciphers => settings for incoming mandatory TLS encryption
    smtpd_tls_ciphers => settings for incoming opportunistic TLS encryption
    smtp_tls_mandatory_ciphers => settings for outgoing mandatory TLS encryption
    smtp_tls_ciphers => settings for outgoing opportunistic TLS encryption
  2. If I set both smtpd_tls_security_level and smtp_tls_security_level to may then only the opportunistic settings are relevant meaning it does not matter what I set in the mandatory ones?

  3. If I want to make a secure but still public mail server would the following configuration (in regard of the cryptography used) be alright? I am not too sure about how many servers currently support TLS or which security levels in general but I still want to be able to comunicate with most of them.

    smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
smtp_tls_security_level = may
smtpd_tls_security_level = may

smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
#hope this is enough since it is also added to the mandatory exclusions
smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5

Background: It is for a security oriented company, with pretty high security standards BUT I also don't want any emails to get lost with this configuration.

PS: I've read the explanation for the configuration parameters and it is also where most my knowledge comes from.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Akimiya
  • 23
  • 1
  • 4

1 Answers1

6
  1. Concerning smtp[d]_tls_[mandatory_]ciphers

Yes.

  1. If I set both smtpd_tls_security_level and smtp_tls_security_level to may then only the opportunistic settings are relevant meaning it does not matter what I set in the mandatory ones?

Yes.

  1. If I want to make a secure but still public mail server would the following configuration (in regard of the cryptography used) be alright?

You are disabling SSL and constraining the ciphers, but unencrypted traffic is still allowed. I consider bad encryption better than no encryption at all, for communication with other mailservers.

To cite the paper Applied Crypto Hardening (ACH) by Bettercrypto:

Postfix has five internal lists of ciphers, and the possibility to switch between those with smtpd_tls_ciphers. However, we leave this at its default value for server to server connections, as many mail servers only support outdated protocols and ciphers. We consider bad encryption still better than plain text transmission. For connections to MUAs, TLS is mandatory and the ciphersuite is modified.

For the connections to mail clients, it is very useful to constrain the ciphers and protocols, as also to prefer good ones.

MX and SMTP client configuration: As discussed in section 2.3.1, because of opportunistic encryp- tion we do not restrict the list of ciphers or protocols for communication with other mail servers to avoid transmission in plain text.

The recommended configuration is the following:

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# use 0 for Postfix >= 2.9, and 1 for earlier versions
smtpd_tls_loglevel = 0
# enable opportunistic TLS support in the SMTP server and client
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_eecdh_grade=ultra

And this for master.cf:

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o tls_preempt_cipherlist=yes

With the given ciphersuite, the server prefers the best available ciphers, also Perfect Secrecy if possible and also supports all relevant clients without allowing bad ciphers. For more details please see the linked paper, it gives very details informations about the recommendations, including theory. The explanations for the postfix section cited above are contributed by me (and reviewed by many others).

sebix
  • 4,313
  • 2
  • 29
  • 47
  • Thanks for the paper but they kind of don't explain some decisions they make there. I somehow wonder why the loglevel for smtpd should be 0 and for smtp 1. The other is that the smtp(d)_tls_ciphers are by default `export` and I get the feeling that its bad to have them below `medium` if not `high`, since the `tls_high_cipherlist` is only used with high (if I understood it correctly). – Akimiya May 21 '15 at 10:31
  • As I wrote above, bad encryption is considered worse than no encryption at all. Keep in mind that the software and libraries in the mail server landscape are in much worse state than the web world concerning encryption. For the web, you can make encryption mandatory for all clients and even forbid SSL, but for mails this is impossible and won't work for more than 90% of the mail servers. The high loglevel is only for debugging and statistics, to see which encryption is used. Feel free to adjust it to your needs. – sebix May 21 '15 at 11:27
  • If I look up at [tribut.de](https://tribut.de/) which was recommended to me elsewhere and another forum it seems that `medium` is an acceptable setting. Is it somehow possible to say that "if you don't support any ciphers I do then don't send mail" but for those who are only able to use plain text to still use it? I'm ok if I can only reach ~95% servers worldwide if I can still ensure a good security. – Akimiya May 21 '15 at 13:24
  • @Akimiya You can have a look on the [Google Transparency Report: Safer Mail](https://www.google.com/transparencyreport/saferemail/) to see how much of their traffic has been encrypted. There will come more detailed data and evaluations in a couple of months from some well known researchers. Some raw data on STARTTLS can be found at [scans.io](https://scans.io/series/25-smtp-starttls-full_ipv4). – sebix May 24 '15 at 11:45