Re: tls_high_cipherlist with !SEED is ignored
> On Jan 15, 2019, at 3:39 PM, Stefan Bauer wrote: > > I just want to set allowed ciphers but can not enforce encryption generally. You cannot enforce encryption on the submission port? Why not? > this seems to be a limitation and not possible right? The ciphers are configurable, but the recommended interface for most users is to specify exclusions from the low level cipherlists, rather than deal with their non-trivial syntax. -- Viktor.
Re: tls_high_cipherlist with !SEED is ignored
now i got it. sorry and thank you for your help. Am Dienstag, 15. Januar 2019 schrieb Viktor Dukhovni < postfix-us...@dukhovni.org>: >> On Jan 15, 2019, at 8:39 AM, Stefan Bauer wrote: >> >> -o smtpd_tls_mandatory_ciphers=high >> -o tls_preempt_cipherlist=yes >> -o tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S >> HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA > > Instead, try: > > master.cf: > submission inet ... smtpd > ... > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_mandatory_ciphers=high > -o smtpd_tls_exclude_ciphers=$msa_exclude_ciphers > > main.cf: > msa_exclude_ciphers = SEED > > See: http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers > > -- > Viktor. > >
Re: tls_high_cipherlist with !SEED is ignored
I just want to set allowed ciphers but can not enforce encryption generally. this seems to be a limitation and not possible right? Am Dienstag, 15. Januar 2019 schrieb Viktor Dukhovni < postfix-us...@dukhovni.org>: >> On Jan 15, 2019, at 8:39 AM, Stefan Bauer wrote: >> >> -o smtpd_tls_mandatory_ciphers=high >> -o tls_preempt_cipherlist=yes >> -o tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S >> HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA > > Instead, try: > > master.cf: > submission inet ... smtpd > ... > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_mandatory_ciphers=high > -o smtpd_tls_exclude_ciphers=$msa_exclude_ciphers > > main.cf: > msa_exclude_ciphers = SEED > > See: http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers > > -- > Viktor. > >
Re: tls_high_cipherlist with !SEED is ignored
> On Jan 15, 2019, at 8:39 AM, Stefan Bauer wrote: > > -o smtpd_tls_mandatory_ciphers=high > -o tls_preempt_cipherlist=yes > -o > tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S > HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA Instead, try: master.cf: submission inet ... smtpd ... -o smtpd_tls_security_level=encrypt -o smtpd_tls_mandatory_ciphers=high -o smtpd_tls_exclude_ciphers=$msa_exclude_ciphers main.cf: msa_exclude_ciphers = SEED See: http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers -- Viktor.
Re: tls_high_cipherlist with !SEED is ignored
stefan Bauer: > Nessus reports for example TLS_RSA_WITH_SEED_CBC_SHA as weak on our > submission port. So i was using the following to disable all SEED ciphers > on submission port but it has no effect: > > -o smtpd_tls_mandatory_ciphers=high > -o tls_preempt_cipherlist=yes > -o > tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S > HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA I see no evidence that smtpd is using mandatory TLS, which I think is a prerequisite for the above settings to have an observable effect. Wietse
tls_high_cipherlist with !SEED is ignored
Nessus reports for example TLS_RSA_WITH_SEED_CBC_SHA as weak on our submission port. So i was using the following to disable all SEED ciphers on submission port but it has no effect: -o smtpd_tls_mandatory_ciphers=high -o tls_preempt_cipherlist=yes -o tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA after postfix restart, nmap --script ssl-enum-ciphers -p 587 mailserver still reports SEED ciphers: $ nmap --script ssl-enum-ciphers -p 587 mailserver | grep SEED | TLS_DH_anon_WITH_SEED_CBC_SHA - F | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A | TLS_DH_anon_WITH_SEED_CBC_SHA - F | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A | TLS_DH_anon_WITH_SEED_CBC_SHA - F | TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A What am i missing?
