with no additional configuration, but you may want to override the
default prime to be 2048 bits long, and you may want to regenerate
your primes periodically. See the <a href="#quick-start">quick-start</a>
-section for details. </p>
+section for details. With Postfix ≥ 3.1 the out of the box
+(compiled-in) EDH prime size is 2048 bits. </p>
<p> With prime-field EDH, OpenSSL wants the server to provide
two explicitly-selected (prime, generator) combinations. One for
"export" ciphers. To use a non-default prime, generate a 512-bit
DH parameter file and set smtpd_tls_dh512_param_file to the filename
(see the <a href="#quick-start">quick-start</a> section for details).
+With Postfix ≥ 3.1 export cipher suites are by default disabled.
+Servers that enable "export" cipher-suites are vulnerable to man
+in the middle attacks even against clients that don't support
+"export" ciphers. Do not enable "export" ciphers except on servers
+dedicated to supporting obsolete clients that support nothing else.
</p>
<li> <p> The non-export EDH parameters are used for all other EDH
</ul>
-<p> It turns out that (inadvisably-patched in some Debian releases)
-Exim SMTP clients require a ≥ 2048-bit length for the non-export
-prime. See the <a href="#quick-start">quick-start</a> section for
-the recommended configuration to work around this issue. </p>
+<p> Note, as of mid-2015, SMTP clients are starting to reject TLS
+handshakes with primes smaller than 2048-bits. Use of 1024-bit
+primes is not recommended. Each site needs to determine which prime
+size works best for the majority of its clients. See the <a
+href="#quick-start">quick-start</a> section for the recommended
+configuration to work around this issue. </p>
<h3> EECDH Server support </h3>
<p> The default Postfix SMTP client cipher lists are correctly
ordered to prefer EECDH and EDH cipher suites ahead of similar
cipher suites that don't implement forward secrecy. Administrators
-are strongly discouraged from changing the cipher list definitions.
-It is likely safe to set "smtp_tls_ciphers = medium" if you wish
-to disable the obsolete "export" and "low" grade ciphers even with
-opportunistic TLS. Setting a minimum strength does not change the
-preference
-order. Note that strengths higher than "medium" exclude Exchange
-2003 and likely other widely used MTAs, thus "high" grade ciphers
-should only be used on a case-by-case basis via the <a
-href="TLS_README.html#client_tls_policy">TLS policy</a> table. </p>
+are strongly discouraged from changing the cipher list definitions. </p>
+
+<p> If the smtp_tls_ciphers configuration parameter does not default
+to "medium" in the Postfix release you're using, you should set it
+explicitly to "medium" in main.cf so as to disable the obsolete
+"export" and "low" grade ciphers even with opportunistic TLS (this
+is the default starting with Postfix 3.1). Setting the minimum
+grade does not change the preference order. Note that grades higher
+than "medium" exclude Exchange 2003 and likely other widely used
+MTAs, thus "high" grade ciphers should only be used on a case-by-case
+basis via the <a href="TLS_README.html#client_tls_policy">TLS
+policy</a> table. </p>
<h2><a name="quick-start">Getting started, quick and dirty</a></h2>
/etc/postfix/master.cf:
submission inet n - n - - smtpd
# Some submission clients may not yet do 2048-bit EDH, if such
- # clients use your MSA, configure 1024-bit EDH instead:
+ # clients use your MSA, configure 1024-bit EDH instead. However,
+ # as of mid-2015, many submission clients no longer accept primes
+ # with less than 2048-bits. Each site needs to determine which
+ # type of client is more important to support.
-o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
-<p> The Postfix SMTP server supports 5 distinct cipher security levels
-as specified by the smtpd_tls_mandatory_ciphers configuration parameter,
-which determines the cipher grade with mandatory TLS encryption. The
-default value is "medium" which is essentially 128-bit encryption or better.
-With opportunistic TLS encryption, the minimum accepted cipher grade is
-typically "export". The corresponding smtpd_tls_ciphers parameter
-(Postfix ≥ 2.6) controls the cipher grade used with opportunistic
-TLS. </p>
+<p> The Postfix SMTP server supports 5 distinct cipher grades as
+specified by the smtpd_tls_mandatory_ciphers configuration parameter,
+which determines the cipher grade with mandatory TLS encryption.
+The default cipher grade for mandatory TLS is "medium" which is
+essentially 128-bit encryption or better. The smtpd_tls_ciphers
+parameter (Postfix ≥ 2.6) controls the cipher grade used with
+opportunistic TLS. With opportunistic TLS encryption, the minimum
+accepted cipher grade is "export" for Postfix ≤ 3.0 and "medium"
+for Postfix ≥ 3.1. </p>
<p> By default anonymous ciphers are enabled. They are automatically
disabled when remote SMTP client certificates are requested. If
a remote SMTP client to check the server certificate, so excluding
anonymous ciphers is generally unnecessary. </p>
-<p> The "smtpd_tls_ciphers" configuration parameter (Postfix ≥
-2.6) provides control over the minimum cipher grade for opportunistic
-TLS. With
-Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
-"export". </p>
-
<p> With mandatory TLS encryption, the Postfix SMTP server will by
default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
Opportunistic TLS can be configured by setting "smtp_tls_security_level = may".
For LMTP, use the corresponding "lmtp_" parameter. </p>
-<p> Since sending in the clear is acceptable, demanding stronger
-than default TLS security mostly reduces inter-operability. If you
-must restrict TLS protocol or cipher selection even with opportunistic
-TLS, the "smtp_tls_ciphers" and "smtp_tls_protocols" configuration
-parameters (Postfix ≥ 2.6) provide control over the protocols
-and cipher grade
-used with opportunistic TLS. With earlier releases the opportunistic TLS
-cipher grade is always "export" and no protocols are disabled. </p>
+<p> The "smtp_tls_ciphers" and "smtp_tls_protocols" configuration
+parameters (Postfix ≥ 2.6) provide control over the cipher grade
+and protocols used with opportunistic TLS. With earlier releases
+the opportunistic TLS cipher grade is always "export" and no protocols
+are disabled. </p>
<p> With opportunistic TLS, mail delivery continues even if the
server certificate is untrusted or bears the wrong name.
<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
-<p> The Postfix SMTP client supports 5 distinct cipher security levels
+<p> The Postfix SMTP client supports 5 distinct cipher grades
as specified by the smtp_tls_mandatory_ciphers configuration
parameter. This setting controls the minimum acceptable SMTP client
TLS cipher grade for use with mandatory TLS encryption. The default
<p> The "smtp_tls_ciphers" configuration parameter (Postfix ≥ 2.6)
provides control over the minimum cipher grade for opportunistic TLS. With
Postfix < 2.6, the minimum opportunistic TLS cipher grade is always
-"export". </p>
+"export". Starting with Postfix 3.1, the default grade is "medium" even
+for opportunistic TLS. </p>
<p> With mandatory TLS encryption, the Postfix SMTP client will by
default disable SSLv2. SSLv2 is used only when TLS encryption
# Legacy form for Postfix < 2.5:
smtp_tls_mandatory_protocols = SSLv3, TLSv1
# Also available with Postfix ≥ 2.6:
- smtp_tls_ciphers = export
+ smtp_tls_ciphers = medium
smtp_tls_protocols = !SSLv2
</pre>
</blockquote>
<h3><a name="self-signed">Self-signed server certificate</a></h3>
-<p> The following commands (credits: Viktor Dukhovni) generate
-and install a private key and 10-year self-signed certificate for
-the local Postfix system. This requires super-user privileges. </p>
+<p> The following commands (credits: Viktor Dukhovni) generate and
+install a 2048-bit RSA private key and 10-year self-signed certificate
+for the local Postfix system. This requires super-user privileges.
+</p>
<blockquote>
<pre>
%PARAM broken_sasl_auth_clients no
<p>
-Enable inter-operability with remote SMTP clients that implement an obsolete
+Enable interoperability with remote SMTP clients that implement an obsolete
version of the AUTH command (RFC 4954). Examples of such clients
are MicroSoft Outlook Express version 4 and MicroSoft Exchange
version 5.0.
%PARAM smtpd_tls_cipherlist
<p> Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
-cipher list. It is easy to create inter-operability problems by choosing
+cipher list. It is easy to create interoperability problems by choosing
a non-default cipher list. Do not use a non-default TLS cipherlist for
MX hosts on the public Internet. Clients that begin the TLS handshake,
but are unable to agree on a common cipher, may not be able to send any
%PARAM smtpd_tls_dh512_param_file
-<p> File with DH parameters that the Postfix SMTP server should
-use with export-grade EDH ciphers. </p>
+<p> File with DH parameters that the Postfix SMTP server should use
+with export-grade EDH ciphers. With Postfix ≥ 3.1 export cipher
+suites are by default disabled. </p>
<p> See also the discussion under the smtpd_tls_dh1024_param_file
configuration parameter. </p>
<p> Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list. As this feature applies to all TLS security levels, it is easy
-to create inter-operability problems by choosing a non-default cipher
+to create interoperability problems by choosing a non-default cipher
list. Do not use a non-default TLS cipher list on hosts that deliver email
to the public Internet: you will be unable to send email to servers that
only support the ciphers you exclude. Using a restricted cipher list
<dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt>
<dd>Opportunistic TLS. Since sending in the clear is acceptable,
demanding stronger than default TLS security merely reduces
-inter-operability. The optional "ciphers", "exclude" and "protocols"
+interoperability. The optional "ciphers", "exclude" and "protocols"
attributes (available for opportunistic TLS with Postfix ≥ 2.6)
override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and
"smtp_tls_protocols" configuration parameters. When opportunistic TLS
<dd> Opportunistic TLS. Use TLS if this is supported by the remote
SMTP server, otherwise use plaintext. Since
sending in the clear is acceptable, demanding stronger than default TLS
-security merely reduces inter-operability.
+security merely reduces interoperability.
The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6)
configuration parameters provide control over the protocols and
cipher grade used with opportunistic TLS. With earlier releases the
<dl>
<dt><b>export</b></dt>
-<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts, and is always
-used with opportunistic TLS encryption. The underlying cipherlist
-is specified via the tls_export_cipherlist configuration parameter,
-which you are strongly encouraged to not change. </dd>
+<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_export_cipherlist
+configuration parameter, which you are strongly encouraged to not
+change. This setting is insecure and SHOULD NOT be used. </dd>
<dt><b>low</b></dt>
-<dd> Enable "LOW" grade or stronger OpenSSL ciphers. The
-underlying cipherlist is specified via the tls_low_cipherlist
-configuration parameter, which you are strongly encouraged to
-not change. </dd>
+<dd> Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
+cipherlist is specified via the tls_low_cipherlist configuration
+parameter, which you are strongly encouraged to not change. This
+setting is insecure and SHOULD NOT be used. </dd>
<dt><b>medium</b></dt>
<dd> Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit
<dl>
<dt><b>export</b></dt>
-<dd> Enable "EXPORT" grade or better OpenSSL
-ciphers. This is the default for opportunistic encryption. It is
-not recommended for mandatory encryption unless you must enforce TLS
-with "crippled" peers. The underlying cipherlist is specified via the
-tls_export_cipherlist configuration parameter, which you are strongly
-encouraged to not change. </dd>
+<dd> Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
+cipherlist is specified via the tls_export_cipherlist configuration
+parameter, which you are strongly encouraged to not change. This
+choice is insecure and SHOULD NOT be used. </dd>
<dt><b>low</b></dt>
-<dd> Enable "LOW" grade or better OpenSSL ciphers. This
-setting is only appropriate for internal mail servers. The underlying
+<dd> Enable "LOW" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. </dd>
+parameter, which you are strongly encouraged to not change. This
+choice is insecure and SHOULD NOT be used. </dd>
<dt><b>medium</b></dt>
<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM tls_high_cipherlist ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
+%PARAM tls_high_cipherlist see "postconf -d" output
-<p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
-strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
-later the cipherlist may start with an "aNULL:" prefix, which restores
-the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
-list when they are enabled. This prefix is not needed with previous
-OpenSSL releases. </p>
+<p> The OpenSSL cipherlist for "high" grade ciphers. This defines
+the meaning of the "high" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
+encouraged to not change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM tls_medium_cipherlist ALL:!EXPORT:!LOW:+RC4:@STRENGTH
+%PARAM tls_medium_cipherlist see "postconf -d" output
-<p> The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
-the default cipherlist for mandatory TLS encryption in the TLS
-client (with anonymous ciphers disabled when verifying server
-certificates). You are strongly encouraged to not change this
-setting. With OpenSSL 1.0.0 and later the cipherlist may start with an
-"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
-aNULL ciphers to the top of the list when they are enabled. This prefix
-is not needed with previous OpenSSL releases. </p>
+<p> The OpenSSL cipherlist for "medium" grade ciphers. This defines
+the meaning of the "medium" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This is the
+default cipherlist for mandatory TLS encryption in the TLS client
+(with anonymous ciphers disabled when verifying server certificates).
+With Postfix ≥ 3.1 this is the default cipherlist for the
+opportunistic ("may") TLS client security level and also the default
+cipherlist for the SMTP server. You are strongly encouraged to not
+change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM tls_low_cipherlist ALL:!EXPORT:+RC4:@STRENGTH
+%PARAM tls_low_cipherlist see "postconf -d" output
-<p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
-strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
-later the cipherlist may start with an "aNULL:" prefix, which restores
-the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
-list when they are enabled. This prefix is not needed with previous
-OpenSSL releases. </p>
+<p> The OpenSSL cipherlist for "low" grade ciphers. This defines
+the meaning of the "low" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
+encouraged to not change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM tls_export_cipherlist ALL:+RC4:@STRENGTH
+%PARAM tls_export_cipherlist see "postconf -d" output
-<p> The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
-the cipherlist for the opportunistic ("may") TLS client security
-level and is the default cipherlist for the SMTP server. You are
-strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
-later the cipherlist may start with an "aNULL:" prefix, which restores
-the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
-list when they are enabled. This prefix is not needed with previous
-OpenSSL releases. </p>
+<p> The OpenSSL cipherlist for "export" grade ciphers. This defines
+the meaning of the "export" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With Postfix
+≤ 3.0 this is the default cipherlist for the opportunistic ("may")
+TLS client security level and also the default cipherlist for the
+SMTP server. You are strongly encouraged to not change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
<p> The non-default setting "yes" enables the behavior of older
Postfix versions. These always send a SASL authzid that is equal
-to the SASL authcid, but this causes inter-operability problems
+to the SASL authcid, but this causes interoperability problems
with some SMTP servers. </p>
<p> This feature is available in Postfix 2.4.4 and later. </p>
"TLSv1.1" or "TLSv1.2"</p>
<p> To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 even for opportunistic TLS set
+with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
"TLSv1.2". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 even for opportunistic TLS set
+with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
<p> This feature is available in Postfix 2.6 and later. </p>
-%PARAM smtp_tls_ciphers export
+%PARAM smtp_tls_ciphers see "postconf -d" output
-<p> The minimum TLS cipher grade that the Postfix SMTP client
-will use with opportunistic TLS encryption. Cipher types listed in
+<p> The minimum TLS cipher grade that the Postfix SMTP client will
+use with opportunistic TLS encryption. Cipher types listed in
smtp_tls_exclude_ciphers are excluded from the base definition of
-the selected cipher grade. The default value "export" ensures maximum
-inter-operability. Because encryption is optional, stronger controls
-are not appropriate, and this setting SHOULD NOT be changed unless the
-change is essential. </p>
+the selected cipher grade. Starting with Postfix 3.1, the default
+value changes from "export" to "medium". </p>
<p> When TLS is mandatory the cipher grade is chosen via the
smtp_tls_mandatory_ciphers configuration parameter, see there for syntax
details. See smtp_tls_policy_maps for information on how to configure
ciphers on a per-destination basis. </p>
-<p> Example: </p>
-<pre>
-smtp_tls_ciphers = export
-</pre>
-
<p> This feature is available in Postfix 2.6 and later. With earlier Postfix
releases only the smtp_tls_mandatory_ciphers parameter is implemented,
and opportunistic TLS always uses "export" or better (i.e. all) ciphers. </p>
-%PARAM smtpd_tls_ciphers export
+%PARAM smtpd_tls_ciphers see "postconf -d" output
-<p> The minimum TLS cipher grade that the Postfix SMTP server
-will use with opportunistic TLS encryption. Cipher types listed in
+<p> The minimum TLS cipher grade that the Postfix SMTP server will
+use with opportunistic TLS encryption. Cipher types listed in
smtpd_tls_exclude_ciphers are excluded from the base definition of
-the selected cipher grade. The default value "export" ensures maximum
-inter-operability. Because encryption is optional, stronger controls
-are not appropriate, and this setting SHOULD NOT be changed unless the
-change is essential. </p>
+the selected cipher grade. Starting with Postfix 3.1, the default
+value changes from "export" to "medium". </p>
<p> When TLS is mandatory the cipher grade is chosen via the
smtpd_tls_mandatory_ciphers configuration parameter, see there for syntax
details. </p>
-<p> Example: </p>
-<pre>
-smtpd_tls_ciphers = export
-</pre>
-
<p> This feature is available in Postfix 2.6 and later. With earlier Postfix
releases only the smtpd_tls_mandatory_ciphers parameter is implemented,
and opportunistic TLS always uses "export" or better (i.e. all) ciphers. </p>
-%PARAM lmtp_tls_ciphers export
+%PARAM lmtp_tls_ciphers see "postconf -d" output
<p> The LMTP-specific version of the smtp_tls_ciphers configuration
parameter. See there for details. </p>
<p> A mechanism to transform commands from remote SMTP clients.
This is a last-resort tool to work around client commands that break
-inter-operability with the Postfix SMTP server. Other uses involve
+interoperability with the Postfix SMTP server. Other uses involve
fault injection to test Postfix's handling of invalid commands.
</p>
<p> A mechanism to transform replies from remote SMTP servers one
line at a time. This is a last-resort tool to work around server
-replies that break inter-operability with the Postfix SMTP client.
+replies that break interoperability with the Postfix SMTP client.
Other uses involve fault injection to test Postfix's handling of
invalid responses. </p>
<p> File with DH parameters that the Postfix tlsproxy(8) server
should use with export-grade EDH ciphers. See smtpd_tls_dh512_param_file
-for further details. </p>
+for further details. With Postfix ≥ 3.1 export cipher suites
+are by default disabled. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
*
* To turn off further warnings and deploy the new default settings, the
* system administrator should update the compatibility_level setting as
- * recommended in the RELASE_NOTES file.
+ * recommended in the RELEASE_NOTES file.
*
* Each incompatible change has its own flag variable, instead of bit in a
* shared variable. We don't want to rip up code when we need more flag
extern char *var_smtpd_tls_mand_proto;
#define VAR_SMTPD_TLS_CIPH "smtpd_tls_ciphers"
-#define DEF_SMTPD_TLS_CIPH "export"
+#define DEF_SMTPD_TLS_CIPH "medium"
extern char *var_smtpd_tls_ciph;
#define VAR_SMTPD_TLS_MAND_CIPH "smtpd_tls_mandatory_ciphers"
extern char *var_smtp_tls_CApath;
#define VAR_SMTP_TLS_CIPH "smtp_tls_ciphers"
-#define DEF_SMTP_TLS_CIPH "export"
+#define DEF_SMTP_TLS_CIPH "medium"
#define VAR_LMTP_TLS_CIPH "lmtp_tls_ciphers"
-#define DEF_LMTP_TLS_CIPH "export"
+#define DEF_LMTP_TLS_CIPH "medium"
extern char *var_smtp_tls_ciph;
#define VAR_SMTP_TLS_MAND_CIPH "smtp_tls_mandatory_ciphers"
/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
/* process requests from the \fBtlsmgr\fR(8) server in order to seed its
/* internal pseudo random number generator (PRNG).
-/* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "HIGH" grade ciphers.
-/* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
-/* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "LOW" or higher grade ciphers.
-/* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
+/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "high" grade ciphers.
+/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "medium" grade ciphers.
+/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "low" grade ciphers.
+/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "export" grade ciphers.
/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
/* authentication without encryption.
/* .IP "\fBsmtp_tls_protocols (!SSLv2)\fR"
/* List of TLS protocols that the Postfix SMTP client will exclude or
/* include with opportunistic TLS encryption.
-/* .IP "\fBsmtp_tls_ciphers (export)\fR"
-/* The minimum TLS cipher grade that the Postfix SMTP client
-/* will use with opportunistic TLS encryption.
+/* .IP "\fBsmtp_tls_ciphers (see 'postconf -d' output)\fR"
+/* The minimum TLS cipher grade that the Postfix SMTP client will
+/* use with opportunistic TLS encryption.
/* .IP "\fBsmtp_tls_eccert_file (empty)\fR"
/* File with the Postfix SMTP client ECDSA certificate in PEM format.
/* .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR"
/* .ad
/* .fi
/* .IP "\fBbroken_sasl_auth_clients (no)\fR"
-/* Enable inter-operability with remote SMTP clients that implement an obsolete
+/* Enable interoperability with remote SMTP clients that implement an obsolete
/* version of the AUTH command (RFC 4954).
/* .IP "\fBdisable_vrfy_command (no)\fR"
/* Disable the SMTP VRFY command.
/* Postfix SMTP client to a remote SMTP server.
/* See the SASL_README document for details.
/* .IP "\fBbroken_sasl_auth_clients (no)\fR"
-/* Enable inter-operability with remote SMTP clients that implement an obsolete
+/* Enable interoperability with remote SMTP clients that implement an obsolete
/* version of the AUTH command (RFC 4954).
/* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
/* Enable SASL authentication in the Postfix SMTP server.
/* File with DH parameters that the Postfix SMTP server should
/* use with non-export EDH ciphers.
/* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
-/* File with DH parameters that the Postfix SMTP server should
-/* use with export-grade EDH ciphers.
+/* File with DH parameters that the Postfix SMTP server should use
+/* with export-grade EDH ciphers.
/* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
/* File with the Postfix SMTP server DSA private key in PEM format.
/* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
/* process requests from the \fBtlsmgr\fR(8) server in order to seed its
/* internal pseudo random number generator (PRNG).
-/* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "HIGH" grade ciphers.
-/* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
-/* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "LOW" or higher grade ciphers.
-/* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR"
-/* The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
+/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "high" grade ciphers.
+/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "medium" grade ciphers.
+/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "low" grade ciphers.
+/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+/* The OpenSSL cipherlist for "export" grade ciphers.
/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
/* authentication without encryption.
/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
/* List of TLS protocols that the Postfix SMTP server will exclude
/* or include with opportunistic TLS encryption.
-/* .IP "\fBsmtpd_tls_ciphers (export)\fR"
-/* The minimum TLS cipher grade that the Postfix SMTP server
-/* will use with opportunistic TLS encryption.
+/* .IP "\fBsmtpd_tls_ciphers (see 'postconf -d' output)\fR"
+/* The minimum TLS cipher grade that the Postfix SMTP server will
+/* use with opportunistic TLS encryption.
/* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
/* File with the Postfix SMTP server ECDSA certificate in PEM format.
/* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
/* Application-specific. */
/*
- * Compiled-in EDH primes (the compiled-in generator is always 2). These are
- * used when no parameters are explicitly loaded from a site-specific file.
- *
- * 512-bit parameters are used for export ciphers, and 1024-bit parameters are
- * used for non-export ciphers. An ~80-bit strong EDH key exchange is really
- * too weak to protect 128+ bit keys, but larger DH primes are
- * computationally expensive. When greater security is required, use EECDH.
+ * Compiled-in DH parameters. Used when no parameters are explicitly loaded
+ * from a site-specific file. Using an ASN.1 DER encoding avoids the need to
+ * explicitly manipulate the internal represenation of DH parameter objects.
+ *
+ * 512-bit parameters are used for export ciphers, and 2048-bit parameters are
+ * used for non-export ciphers. The non-export group is now 2048-bit, as 1024
+ * bits is increasingly considered to weak by clients. When greater security
+ * is required, use EECDH.
*/
- /*
- * Generated via "openssl dhparam -2 -noout -C 512 2>/dev/null" TODO:
- * generate at compile-time.
+ /*-
+ * Generated via:
+ * $ openssl dhparam -2 -outform DER 512 2>/dev/null |
+ * hexdump -ve '/1 "0x%02x, "' | fmt
+ * TODO: generate at compile-time.
*/
-static unsigned char dh512_p[] = {
- 0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
- 0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
- 0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
- 0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
- 0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
- 0x4F, 0x70, 0xBA, 0x5B,
+static unsigned char dh512_der[] = {
+ 0x30, 0x46, 0x02, 0x41, 0x00, 0xd8, 0xbf, 0x11, 0xd6, 0x41, 0x2a, 0x7a,
+ 0x9c, 0x78, 0xb2, 0xaa, 0x41, 0x23, 0x0a, 0xdc, 0xcf, 0xb7, 0x19, 0xc5,
+ 0x16, 0x4c, 0xcb, 0x4a, 0xd0, 0xd2, 0x1f, 0x1f, 0x70, 0x24, 0x86, 0x6f,
+ 0x51, 0x52, 0xc6, 0x5b, 0x28, 0xbb, 0x82, 0xe1, 0x24, 0x91, 0x3d, 0x4d,
+ 0x95, 0x56, 0xf8, 0x0b, 0x2c, 0xe0, 0x36, 0x67, 0x88, 0x64, 0x15, 0x1f,
+ 0x45, 0xd5, 0xb8, 0x0a, 0x00, 0x03, 0x76, 0x32, 0x0b, 0x02, 0x01, 0x02,
};
- /*
- * Generated via "openssl dhparam -2 -noout -C 1024 2>/dev/null" TODO:
- * generate at compile-time.
+ /*-
+ * Generated via:
+ * $ openssl dhparam -2 -outform DER 2048 2>/dev/null |
+ * hexdump -ve '/1 "0x%02x, "' | fmt
+ * TODO: generate at compile-time.
*/
-static unsigned char dh1024_p[] = {
- 0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
- 0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
- 0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
- 0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
- 0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
- 0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
- 0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
- 0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
- 0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
- 0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
- 0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
+static unsigned char dh2048_der[] = {
+ 0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0x28, 0x1b,
+ 0x68, 0x69, 0x90, 0x2f, 0x37, 0x9f, 0x5a, 0x50, 0x23, 0x73, 0x2c, 0x11,
+ 0xf2, 0xac, 0x7c, 0x3e, 0x58, 0xb9, 0x23, 0x3e, 0x02, 0x07, 0x4d, 0xba,
+ 0xd9, 0x2c, 0xc1, 0x9e, 0xf9, 0xc4, 0x2f, 0xbc, 0x8d, 0x86, 0x4b, 0x2a,
+ 0x87, 0x86, 0x93, 0x32, 0x0f, 0x72, 0x40, 0xfe, 0x7e, 0xa2, 0xc1, 0x32,
+ 0xf0, 0x65, 0x9c, 0xc3, 0x19, 0x25, 0x2d, 0xeb, 0x6a, 0x49, 0x94, 0x79,
+ 0x2d, 0xa1, 0xbe, 0x05, 0x26, 0xac, 0x8d, 0x69, 0xdc, 0x2e, 0x7e, 0xb5,
+ 0xfd, 0x3c, 0x2b, 0x7d, 0x43, 0x22, 0x53, 0xf6, 0x1e, 0x04, 0x45, 0xd7,
+ 0x53, 0x84, 0xfd, 0x6b, 0x12, 0x72, 0x47, 0x04, 0xaf, 0xa4, 0xac, 0x4b,
+ 0x55, 0xb6, 0x79, 0x42, 0x40, 0x88, 0x54, 0x48, 0xd5, 0x4d, 0x3a, 0xb2,
+ 0xbf, 0x6c, 0x26, 0x95, 0x29, 0xdd, 0x8b, 0x9e, 0xed, 0xb8, 0x60, 0x8e,
+ 0xb5, 0x35, 0xb6, 0x22, 0x44, 0x1f, 0xfb, 0x56, 0x74, 0xfe, 0xf0, 0x2c,
+ 0xe6, 0x0c, 0x22, 0xc9, 0x35, 0xb3, 0x1b, 0x96, 0xbb, 0x0a, 0x5a, 0xc3,
+ 0x09, 0xa0, 0xcc, 0xa5, 0x40, 0x90, 0x0f, 0x59, 0xa2, 0x89, 0x69, 0x2a,
+ 0x69, 0x79, 0xe4, 0xd3, 0x24, 0xc6, 0x8c, 0xda, 0xbc, 0x98, 0x3a, 0x5b,
+ 0x16, 0xae, 0x63, 0x6c, 0x0b, 0x43, 0x4f, 0xf3, 0x2e, 0xc8, 0xa9, 0x6b,
+ 0x58, 0x6a, 0xa9, 0x8e, 0x64, 0x09, 0x3d, 0x88, 0x44, 0x4f, 0x97, 0x2c,
+ 0x1d, 0x98, 0xb0, 0xa9, 0xc0, 0xb6, 0x8d, 0x19, 0x37, 0x1f, 0xb7, 0xc9,
+ 0x86, 0xa8, 0xdc, 0x37, 0x4d, 0x64, 0x27, 0xf3, 0xf5, 0x2b, 0x7b, 0x6b,
+ 0x76, 0x84, 0x3f, 0xc1, 0x23, 0x97, 0x2d, 0x71, 0xf7, 0xb6, 0xc2, 0x35,
+ 0x28, 0x10, 0x96, 0xd6, 0x69, 0x0c, 0x2e, 0x1f, 0x9f, 0xdf, 0x82, 0x81,
+ 0x57, 0x57, 0x39, 0xa5, 0xf2, 0x81, 0x29, 0x57, 0xf9, 0x2f, 0xd0, 0x03,
+ 0xab, 0x02, 0x01, 0x02,
};
/*
msg_panic("Invalid DH parameters size %d, file %s", bits, path);
}
+ /*
+ * This function is the first to set the DH parameters, but free any prior
+ * value just in case the call sequence changes some day.
+ */
+ if (*dhPtr) {
+ DH_free(*dhPtr);
+ *dhPtr = 0;
+ }
+
if ((paramfile = fopen(path, "r")) != 0) {
if ((*dhPtr = PEM_read_DHparams(paramfile, 0, 0, 0)) == 0) {
msg_warn("cannot load %d-bit DH parameters from file %s"
/* tls_get_dh - get compiled-in DH parameters */
-static DH *tls_get_dh(const unsigned char *p, int plen)
+static DH *tls_get_dh(const unsigned char *p, size_t plen)
{
- DH *dh;
- static unsigned char g[] = {0x02,};
+ const unsigned char *endp = p;
+ DH *dh = 0;
- /* Use the compiled-in parameters. */
- if ((dh = DH_new()) == 0) {
- msg_warn("cannot create DH parameter set: %m"); /* 200411 */
- return (0);
- }
- dh->p = BN_bin2bn(p, plen, (BIGNUM *) 0);
- dh->g = BN_bin2bn(g, 1, (BIGNUM *) 0);
- if ((dh->p == 0) || (dh->g == 0)) {
- msg_warn("cannot load compiled-in DH parameters"); /* 200411 */
- DH_free(dh); /* 200411 */
- return (0);
- }
- return (dh);
+ if (d2i_DHparams(&dh, &endp, plen) && plen == endp - p)
+ return (dh);
+
+ msg_warn("cannot load compiled-in DH parameters");
+ if (dh)
+ DH_free(dh);
+ return (0);
}
/* tls_tmp_dh_cb - call-back for Diffie-Hellman parameters */
if (export && keylength == 512) { /* 40-bit export cipher */
if (dh_512 == 0)
- dh_512 = tls_get_dh(dh512_p, (int) sizeof(dh512_p));
+ dh_512 = tls_get_dh(dh512_der, sizeof(dh512_der));
dh_tmp = dh_512;
} else { /* ADH, DHE-RSA or DSA */
if (dh_1024 == 0)
- dh_1024 = tls_get_dh(dh1024_p, (int) sizeof(dh1024_p));
+ dh_1024 = tls_get_dh(dh2048_der, sizeof(dh2048_der));
dh_tmp = dh_1024;
}
return (dh_tmp);
projects / thirdparty / postfix.git / commitdiff
