Recent updates to the supported Postfix releases have updated the
default settings of the OpenSSL ciphers used for opportunistic TLS
from "export" to "medium.
If you're not yet using one of the releases from mid July, or
have set non-default values for either of:
smtpd_tls_protocols
smtpd_tls_ciphers
smtp_tls_protocols
smtp_tls_ciphers
You should in most cases update main.cf by setting:
# Exclude obsolete weak crypto.
#
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = medium
this will disable obsolete SSL protocol versions and the weakest
ciphersuites that are rarely if ever used, and should not be used
going forward. The above settings are the defaults for the most
recent Postfix versions.
If you need to send email to Exchange 2003 servers (not necessarily
your own), you might also want to set:
# Drop "exotic" ciphers leaving room for RC4-SHA in the top 64
#
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA,
RC2, RC5
which disables very rarely used ciphersuites that are not expected
to be required for interoperability, making it possible for Exchange
2003 SMTP servers to negotiate RC4-SHA, which is the best ciphersuite
that software supports.
With Postfix 2.11 or later, you don't need a file-based TLS session
cache. Session tickets are better:
# Empty is best with Postfix >= 2.11
#
smtpd_tls_session_cache_database =
Finally, you should generally use 2048-bit rather than 1024-bit DH
parameters:
http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
The 512-bit parameter file won't be used if you've disabled "EXPORT"
ciphers by setting "smtpd_tls_ciphers = medium" as recommended
above. You can even set:
smtpd_tls_dh512_param_file = ${config_directory}/dh2048.pem
which would likely result in handshake failure if a DHE EXPORT
cipher were negotiated, which is arguably a safety feature. Worst
case you'll be using an export ciphersuite with a key agreement
protocol immune to LOGJAM.
--
Viktor.