[courier-users] Perfect Forward Secrecy - please implement this on courier

Mon, 19 Aug 2013 10:42:08 -0700 

"Perfect forward secrecy (PFS) is a property of the key-agreement 
protocol that ensures that a session key derived from a set of long-term 
public and private keys will not be compromised if one of the 
(long-term) private keys is compromised in the future"
(Source: http://en.wikipedia.org/wiki/Perfect_forward_secrecy)

The problem: Courier does unfortunately NOT use forward secrecy.

Whether PFS is in use can be checked with:
openssl s_client -starttls smtp -connect your-host.net:25
openssl s_client -connect your-host.net:465
=> in the output the line "Cipher:" must contain either DHE or ECDHE if 
forward secrecy is active.

I've tried changing the option TLS_CIPHER_LIST in esmtpd and esmtpd-ssl 
using the cipher list from dovecot ("ALL:!LOW:!SSLv2:!EXP:!aNULL") as 
well as the cipher list recommended in a discussion from late 2012 on 
the courier-imap list 
(http://sourceforge.net/mailarchive/forum.php?thread_name=cone.1353972661.237590.10550.1000%40monster.email-scan.com&forum_name=courier-imap)
 
but this has not changed the problem.

I've therefore not been able to get courier to use the secure key 
exchange ciphers (DHE*, ECDHE*).

Will this security problem get fixed anytime soon (or do I have to move 
to postfix which does this just fine, just like dovecot)?
If it can be fixed with a different TLS_CIPHER_LIST please make this new 
cipher list the default. I have however been unable to do so, but this 
may be just my stupidity :-)

Gerald

PS: I'm running courier 0.69 on Gentoo Linux 64Bit.  Openssl version is 
1.0.1c, I've not tried Courier with GnuTLS. I have however now updated 
to Courier 0.71 and it has not changed anything.


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to