tech-crypto archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: openssl3+postfix issue (ca md too weak)
Manuel Bouyer wrote in
<ZVKXHU06IovpfKIt%antioche.eu.org@localhost>:
|On Mon, Nov 13, 2023 at 10:24:56PM +0100, Steffen Nurpmeso wrote:
|> Manuel Bouyer wrote in
|> <ZVJ6LIrEPxlCEbNB%antioche.eu.org@localhost>:
|>|Hello
|>|I'm facing an issue with postfix+openssl3 which may be critical (dependi\
|>|ng
|>|on how it can be fixed).
|>|
|>|Now my postfix setup fails to send mails with
...
|>|>From what I understood, this is the remote certificate which is not \
|>|>accepted:
|>|openssl 3 deprecated some signature algorithm, which are no longer \
|>|accepted
...
|> Isn't that just postfix config.
|
|It's possible; but I didn't find anything relevant in the postfix docs
|
|> Btw *i* have no problem with
|>
|> smtpd_tls_ask_ccert = no
|> smtpd_tls_auth_only = yes
|> smtpd_tls_loglevel = 1
|> #SMART The next is usually nice but when using client certificates
|> smtpd_tls_received_header = no
|> smtpd_tls_fingerprint_digest = sha256
|> smtpd_tls_mandatory_protocols = >=TLSv1.2
|> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
|> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
|> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
|> smtpd_tls_mandatory_ciphers = high
|> smtpd_tls_mandatory_exclude_ciphers = TLSv1
|>
|> ^ This works in practice without any noticeable trouble.
|> (But then i again i do not have to make money from that or my
|> customers who must talk to ten year old refrigerators.)
|
|this is only server-side configuration; my problem is with client-side
|rejecting the server's certificate
Well i have
#SMART comment out next
smtp_tls_security_level = may
# To always go directly SMTPS/SUBMISSIONS
#smtp_tls_wrappermode = yes
smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
#SMART When only relaying to smarthost, the next should be =high _or_better_!
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_tls_connection_reuse = yes
But if you have a problem with only one permanent remote partner
you surely want a dedicated map for that one.
Now by sheer accident i am subscribed to postfix-users for about
two years (one permanently), and in
4PkSdg3w7vzJrP3%spike.porcupine.org@localhost Wietse Venema answered on
March 25 this year in the thread "Re: smtp_tls_security_level per
user"
Use sender_dependent_default_transport_maps to choose a delivery
agent from:
/etc/postfix/master.cf:
smtp-may unix .. .. .. .. .. smtp
-o { smtp_tls_security_level = may }
smtp-encrypt unix .. .. .. .. .. smtp
-o { smtp_tls_security_level = encrypt }
smtp-whatever unix .. .. .. .. .. smtp
-o { smtp_tls_security_level = whatever }
Keep in mind that SMTP is not HTTP. A destination can have multiple
MXes, and you have no contol over TLS usage between them.
This surely can be extended to configure ciphers etc.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Home |
Main Index |
Thread Index |
Old Index