On Mon, Dec 23, 2013 at 05:49:40PM +0100, Tom Hendrikx wrote:
> > I am still fixing it for clarity, but it should be accurate.
> > Feedback is welcome.
> >
>
> After reading, I'm having some questions.
s/reading/skimming/ :-)
> The document states that forward secrecy is supported by default on
> recent postfix installs. However, the quick-start still has some
> settings that apparently need tweaking.
They don't *need* tweaking. However, the "tweaked" settings are
*recommended.
> Setting 'smtpd_tls_eecdh_grade = strong' is already available as
> default (tested with postfix 2.10), so no actual work here.
As stated.
> Setting the files (and refreshing them using a cronjob) specified by
> 'smtpd_tls_mumble_param_file' is a bit unclear though. The default for
> these params is empty, and setting them does not really show a
> different behavior in postfix (i.e. using different ciphers and keys)
> as far as visible from the logged information.
http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs
...
Postfix >= 2.2 support 1024-bit-prime EDH out of the box, with no
additional configuration, but you may want to override the default
prime to be 2048 bits long, and you may want to regenerate your
primes periodically.
> But since forward secrecy is supported by default, what does it help
> to specify these params, and re-generate them once in a while?
The default non-export prime is 1024 bits. As explained in the
document, you should consider using a 2048 bit non-export prime.
The best-attacks on prime EDH are "pre-computation" attacks, where
one spends a bunch of time computing a bunch of data about a
particular prime, and is then able to quickly solve the underlying
problem much faster for any input.
Though prime lengths are chosen based such pre-computation attacks
(rule of thumb is that for equivalent security EDH primes should
be about as long as RSA moduli) which are believed to be out of
reach for 2048 bit primes and perhaps still out of reach even for
1024 bit primes, one can make the attacks much less attractive by
frequently generating new primes independently at each site.
The compiled-in default prime in the Postfix source code is perhaps
within reach of the best-funded adversaries, who may have performed
the requisite pre-computation. Primes you generate on your server,
and use for a short time are unlikely to warrant the extraordinary
cost of the pre-computation attack.
> I've no deep ssl knowledge, but the smtpd_tls_dh1024_param_file postconf
> documentation seems to indicate that openssl distributes some kind of
> defaults for these contents?
I don't believe that OpenSSL provides default parameters, but
Postfix does.
> Maybe it's a nice idea to make the
> forward secrecy and/or postconf documentation a bit verbose on how
> this works, and what benefits manual generation of these params has?
The more advanced material we put in the document, the more
intimidating it will be for the average reader. But of course an
empty document is not optimal, so we have to aim for the middle.
There is a range of reader sophistication we can support, it is a
trade-off between readable hands-on knowledge and a more detailed,
but technically demanding presentation of the rationale.
--
Viktor.
