Testing Postfix EECDH support with OpenSSL 1.0.0
in [Postfix]
|
From: Victor Duchovni on 1 Jun 2010 15:51 I've recently enabled Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange on our inbound Postfix servers (Postfix compliled and linked with OpenSSL 1.0.0), by setting: smtpd_tls_eecdh_grade = strong Counting recently logged ciphers yields: 33258 DHE-RSA-AES256-SHA 13126 RC4-SHA 3976 RC4-MD5 2972 ADH-AES256-SHA 1620 AES128-SHA 1052 EDH-RSA-DES-CBC3-SHA 971 DHE-RSA-CAMELLIA256-SHA 320 AES256-SHA ---> 302 AECDH-AES256-SHA 168 ADH-CAMELLIA256-SHA 86 DES-CBC3-SHA ---> 18 ECDHE-RSA-AES256-SHA 13 ADH-SEED-SHA Which shows approximately 1% of clients using EECDH. No problems observed. The default setting in Postfix is to not enable EECDH (which was a somewhat "experimental" OpenSSL feature at the time support was added in Postfix). I think that EECDH is now mature enough for main-stream use, but more field experience is probably required before it is enabled by default. So, if you are running Postfix 2.4 or later, and it is compiled against OpenSSL 1.0.0 (or today's 1.0.0a), please test EECDH support by setting "smtpd_tls_eecdh_grade = strong". If there are no problem reports, perhaps we can enable this by default in Postfix 2.8. To improve the odds of your Postfix with OpenSSL 1.0.0 SMTP client using EECDH when servers support it, you need to set: tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH These settings are for OpenSSL 1.0.0 only, do not use these with OpenSSL 0.9.x. The cipherlist order semantics changed in 1.0.0. These settings will become the default in upcoming Postfix releases and patch-levels (when compiled with OpenSSL 1.0.0 include files, and presumably also linked with 1.0.0 libraries). -- Viktor.
|
Pages: 1 Prev: unknown recipient issue Next: Postfix 2.8 and 2.7 updates ready for testing |