Re: [mailop] key exchange parameters: ECDHE, DHE, RFC 7919
Dear Bastian, Thank you for your reply. Am 11.07.23 um 19:43 schrieb Bastian Blank: On Tue, Jul 11, 2023 at 05:47:12PM +0200, Paul Menzel via mailop wrote: Testing the mail setup, I was surprised to have the key exchange parameters flagged [1]: a1241.mx.srv.dfn.de.DH-2048 insufficient This test is for web or e-mail? MX or MSA? Given that this host only reacts on port 25 but not on port 587, I assume this is MX. Correct, it’s an MX. (The DFN – Deutsche Forschungsnetz – offers a MailSupport service, running MXes doing mostly spam filtering and phishing, and then passes the messages on.) Mozilla’s SSL Configuration Generator also suggests for *Intermediate* and *Old* [3]: # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam # not actually 1024 bits, this applies to all DHE >= 1024 bits smtpd_tls_dh1024_param_file = /path/to/dhparam This generator is for web and other authenticated use. You are talking about MX, which is unauthenticated in the absence of DANE. The DFN-MailSupport supports DANE since September 2020 [6]. For unauthenticated MX use you want to allow as much encrypted communication as possible. So don't disable TLS 1.0 or weak ciphers, clients will otherwise just downgrade to plaintext and make it worse. Agreed. That wasn’t my intention. So if you are not ready to also cut off plaintext connections overall, don't touch it too much. Clients will often restrict itself to more modern settings anyway. Indeed. Have most of you moved to ECDHE? If not, are you using the predefined finite field groups specified in RFC 7919 [5]? Every current system supports ECDHE, so sure. The original DH is dead, because it's just too slow. With Postfix 3.6 and empty `smtpd_tls_dh1024_param_file` (equals to auto) [7], Internet.nl shows DH 2048, but also ECDHE is supported. Then I tried to configure the RFC 7219 ffdhe3072 parameters, but somehow the Internet.nl email test still says DH 2048 is used. # wget -O /project/mx/etc/ffdhe3072.pem https://github.com/internetstandards/dhe_groups/blob/main/ffdhe3072.pem # postconf -n smtpd_tls_dh1024_param_file smtpd_tls_dh1024_param_file = /project/mx/etc/ffdhe3072.pem # postfix reload Viktor Dukhovni commented on postfix-users [8]: This is misguided. If 2048-bit RSA root CAs are good enough for WebPKI, system software updates, ... then 2048-bit DH parameters are also good enough for opportunistic TLS in SMTP. He recommended to ignore this test, which I will do, and set the parameter `smtpd_tls_dh1024_param_file` to empty. Kind regards, Paul [6]: https://www.mailsupport.dfn.de/news/aktivierung-der-tlsa-records [7]: https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file [8]: https://www.mail-archive.com/postfix-users@postfix.org/msg99647.html ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] key exchange parameters: ECDHE, DHE, RFC 7919
Hi On Wed, Jul 12, 2023 at 01:00:43AM +0300, Taavi Eomäe via mailop wrote: > On 11/07/2023 20:43, Bastian Blank via mailop wrote: > > Given that this host only reacts on port 25 but not on port 587, I > > assume this is MX. > Ideally one would offer implicit TLS on port 465 as well (RFC8314). But this RFC talks about submission of e-mail, exactly not what this thread is about. > > You are talking about MX, which is unauthenticated in the absence of DANE. > There's also MTA-STS, which doesn't rely on DNSSEC and introduce operational > complexity. This, the same way as DANE, asks the client to do authentication. So it is not included in my statement. And in that case the client enforces more strict rules normally. Bastian -- We Klingons believe as you do -- the sick should die. Only the strong should live. -- Kras, "Friday's Child", stardate 3497.2 ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] key exchange parameters: ECDHE, DHE, RFC 7919
On 11/07/2023 20:43, Bastian Blank via mailop wrote: Given that this host only reacts on port 25 but not on port 587, I assume this is MX. Ideally one would offer implicit TLS on port 465 as well (RFC8314). You are talking about MX, which is unauthenticated in the absence of DANE. There's also MTA-STS, which doesn't rely on DNSSEC and introduce operational complexity. smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] key exchange parameters: ECDHE, DHE, RFC 7919
Hi On Tue, Jul 11, 2023 at 05:47:12PM +0200, Paul Menzel via mailop wrote: > Testing the mail setup, I was surprised to have the key exchange parameters > flagged [1]: > > a1241.mx.srv.dfn.de.DH-2048 insufficient This test is for web or e-mail? MX or MSA? Given that this host only reacts on port 25 but not on port 587, I assume this is MX. > Mozilla’s SSL Configuration Generator also suggests for *Intermediate* and > *Old* [3]: > # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam > # not actually 1024 bits, this applies to all DHE >= 1024 bits > smtpd_tls_dh1024_param_file = /path/to/dhparam This generator is for web and other authenticated use. You are talking about MX, which is unauthenticated in the absence of DANE. For unauthenticated MX use you want to allow as much encrypted communication as possible. So don't disable TLS 1.0 or weak ciphers, clients will otherwise just downgrade to plaintext and make it worse. So if you are not ready to also cut off plaintext connections overall, don't touch it too much. Clients will often restrict itself to more modern settings anyway. > Have most of you moved to ECDHE? If not, are you using the predefined finite > field groups specified in RFC 7919 [5]? Every current system supports ECDHE, so sure. The original DH is dead, because it's just too slow. Bastian -- I have never understood the female capacity to avoid a direct answer to any question. -- Spock, "This Side of Paradise", stardate 3417.3 ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] key exchange parameters: ECDHE, DHE, RFC 7919
Dňa 11. júla 2023 15:47:12 UTC používateľ Paul Menzel via mailop napísal: >Have most of you moved to ECDHE? If not, are you using the predefined finite >field groups specified in RFC 7919 [5]? I do not know what most of others, but i disabled DHE ciphersuites, including all FFDH groups some years ago. Roughly in time when OpenSSL with TLS1.3 come into Debian oldstable. Thus yes, only ECDHE here. regards -- Slavko https://www.slavino.sk/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop