From: Viktor Dukhovni Date: Mon, 26 May 2014 04:46:40 +0000 (-0400) Subject: Disable export and low grade ciphers X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62cd57d990565f4958a7cb7ba0173ec4a2bd6f43;p=thirdparty%2Fpostfix.git Disable export and low grade ciphers Set the default opportunistic cipher grade to "medium" in the SMTP server and client. The default compiled-in 1024-bit DH group is now 2048-bit. Document the changes. --- diff --git a/postfix/proto/FORWARD_SECRECY_README.html b/postfix/proto/FORWARD_SECRECY_README.html index c15341072..74a6846c3 100644 --- a/postfix/proto/FORWARD_SECRECY_README.html +++ b/postfix/proto/FORWARD_SECRECY_README.html @@ -180,7 +180,8 @@ and is not recommended for now.

with no additional configuration, but you may want to override the default prime to be 2048 bits long, and you may want to regenerate your primes periodically. See the quick-start -section for details.

+section for details. With Postfix ≥ 3.1 the out of the box +(compiled-in) EDH prime size is 2048 bits.

With prime-field EDH, OpenSSL wants the server to provide two explicitly-selected (prime, generator) combinations. One for @@ -195,6 +196,11 @@ compiled in, but also supports explicitly-configured overrides. "export" ciphers. To use a non-default prime, generate a 512-bit DH parameter file and set smtpd_tls_dh512_param_file to the filename (see the quick-start section for details). +With Postfix ≥ 3.1 export cipher suites are by default disabled. +Servers that enable "export" cipher-suites are vulnerable to man +in the middle attacks even against clients that don't support +"export" ciphers. Do not enable "export" ciphers except on servers +dedicated to supporting obsolete clients that support nothing else.

  • The non-export EDH parameters are used for all other EDH @@ -207,10 +213,12 @@ parameter file and the prime need not actually be 1024 bits long -

    It turns out that (inadvisably-patched in some Debian releases) -Exim SMTP clients require a ≥ 2048-bit length for the non-export -prime. See the quick-start section for -the recommended configuration to work around this issue.

    +

    Note, as of mid-2015, SMTP clients are starting to reject TLS +handshakes with primes smaller than 2048-bits. Use of 1024-bit +primes is not recommended. Each site needs to determine which prime +size works best for the majority of its clients. See the quick-start section for the recommended +configuration to work around this issue.

    EECDH Server support

    @@ -266,15 +274,18 @@ compromised.

    The default Postfix SMTP client cipher lists are correctly ordered to prefer EECDH and EDH cipher suites ahead of similar cipher suites that don't implement forward secrecy. Administrators -are strongly discouraged from changing the cipher list definitions. -It is likely safe to set "smtp_tls_ciphers = medium" if you wish -to disable the obsolete "export" and "low" grade ciphers even with -opportunistic TLS. Setting a minimum strength does not change the -preference -order. Note that strengths higher than "medium" exclude Exchange -2003 and likely other widely used MTAs, thus "high" grade ciphers -should only be used on a case-by-case basis via the TLS policy table.

    +are strongly discouraged from changing the cipher list definitions.

    + +

    If the smtp_tls_ciphers configuration parameter does not default +to "medium" in the Postfix release you're using, you should set it +explicitly to "medium" in main.cf so as to disable the obsolete +"export" and "low" grade ciphers even with opportunistic TLS (this +is the default starting with Postfix 3.1). Setting the minimum +grade does not change the preference order. Note that grades higher +than "medium" exclude Exchange 2003 and likely other widely used +MTAs, thus "high" grade ciphers should only be used on a case-by-case +basis via the TLS +policy table.

    Getting started, quick and dirty

    @@ -351,7 +362,10 @@ need to adjust the submission entry in master.cf accordingly:

    /etc/postfix/master.cf: submission inet n - n - - smtpd # Some submission clients may not yet do 2048-bit EDH, if such - # clients use your MSA, configure 1024-bit EDH instead: + # clients use your MSA, configure 1024-bit EDH instead. However, + # as of mid-2015, many submission clients no longer accept primes + # with less than 2048-bits. Each site needs to determine which + # type of client is more important to support. -o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index b6734d98b..f04063d8d 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -810,14 +810,15 @@ to Postfix 2.9.6 or later.

    Server-side cipher controls

    -

    The Postfix SMTP server supports 5 distinct cipher security levels -as specified by the smtpd_tls_mandatory_ciphers configuration parameter, -which determines the cipher grade with mandatory TLS encryption. The -default value is "medium" which is essentially 128-bit encryption or better. -With opportunistic TLS encryption, the minimum accepted cipher grade is -typically "export". The corresponding smtpd_tls_ciphers parameter -(Postfix ≥ 2.6) controls the cipher grade used with opportunistic -TLS.

    +

    The Postfix SMTP server supports 5 distinct cipher grades as +specified by the smtpd_tls_mandatory_ciphers configuration parameter, +which determines the cipher grade with mandatory TLS encryption. +The default cipher grade for mandatory TLS is "medium" which is +essentially 128-bit encryption or better. The smtpd_tls_ciphers +parameter (Postfix ≥ 2.6) controls the cipher grade used with +opportunistic TLS. With opportunistic TLS encryption, the minimum +accepted cipher grade is "export" for Postfix ≤ 3.0 and "medium" +for Postfix ≥ 3.1.

    By default anonymous ciphers are enabled. They are automatically disabled when remote SMTP client certificates are requested. If @@ -828,12 +829,6 @@ by setting "smtpd_tls_mandatory_exclude_ciphers = aNULL" or a remote SMTP client to check the server certificate, so excluding anonymous ciphers is generally unnecessary.

    -

    The "smtpd_tls_ciphers" configuration parameter (Postfix ≥ -2.6) provides control over the minimum cipher grade for opportunistic -TLS. With -Postfix < 2.6, the minimum opportunistic TLS cipher grade is always -"export".

    -

    With mandatory TLS encryption, the Postfix SMTP server will by default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the @@ -1080,14 +1075,11 @@ is supported by the server. Otherwise, messages are sent in the clear. Opportunistic TLS can be configured by setting "smtp_tls_security_level = may". For LMTP, use the corresponding "lmtp_" parameter.

    -

    Since sending in the clear is acceptable, demanding stronger -than default TLS security mostly reduces inter-operability. If you -must restrict TLS protocol or cipher selection even with opportunistic -TLS, the "smtp_tls_ciphers" and "smtp_tls_protocols" configuration -parameters (Postfix ≥ 2.6) provide control over the protocols -and cipher grade -used with opportunistic TLS. With earlier releases the opportunistic TLS -cipher grade is always "export" and no protocols are disabled.

    +

    The "smtp_tls_ciphers" and "smtp_tls_protocols" configuration +parameters (Postfix ≥ 2.6) provide control over the cipher grade +and protocols used with opportunistic TLS. With earlier releases +the opportunistic TLS cipher grade is always "export" and no protocols +are disabled.

    With opportunistic TLS, mail delivery continues even if the server certificate is untrusted or bears the wrong name. @@ -2318,7 +2310,7 @@ configured to supply its intermediate CA certificate).

    Client-side cipher controls

    -

    The Postfix SMTP client supports 5 distinct cipher security levels +

    The Postfix SMTP client supports 5 distinct cipher grades as specified by the smtp_tls_mandatory_ciphers configuration parameter. This setting controls the minimum acceptable SMTP client TLS cipher grade for use with mandatory TLS encryption. The default @@ -2341,7 +2333,8 @@ little point in requesting them.

    The "smtp_tls_ciphers" configuration parameter (Postfix ≥ 2.6) provides control over the minimum cipher grade for opportunistic TLS. With Postfix < 2.6, the minimum opportunistic TLS cipher grade is always -"export".

    +"export". Starting with Postfix 3.1, the default grade is "medium" even +for opportunistic TLS.

    With mandatory TLS encryption, the Postfix SMTP client will by default disable SSLv2. SSLv2 is used only when TLS encryption @@ -2363,7 +2356,7 @@ the SSL/TLS protocols used with opportunistic TLS.

    # Legacy form for Postfix < 2.5: smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: - smtp_tls_ciphers = export + smtp_tls_ciphers = medium smtp_tls_protocols = !SSLv2 @@ -2708,9 +2701,10 @@ font, and a "#" prompt indicates a super-user shell.

    Self-signed server certificate

    -

    The following commands (credits: Viktor Dukhovni) generate -and install a private key and 10-year self-signed certificate for -the local Postfix system. This requires super-user privileges.

    +

    The following commands (credits: Viktor Dukhovni) generate and +install a 2048-bit RSA private key and 10-year self-signed certificate +for the local Postfix system. This requires super-user privileges. +

    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index d710b6d9a..c311011b8 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -7318,7 +7318,7 @@ This feature is available in Postfix 2.0 and later.
 %PARAM broken_sasl_auth_clients no
 
 
    
-Enable inter-operability with remote SMTP clients that implement an obsolete
+Enable interoperability with remote SMTP clients that implement an obsolete
 version of the AUTH command (RFC 4954). Examples of such clients
 are MicroSoft Outlook Express version 4 and MicroSoft Exchange
 version 5.0.
@@ -9597,7 +9597,7 @@ to Postfix 2.9.6 or later. 
    
 %PARAM smtpd_tls_cipherlist
 
 
     Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
-cipher list. It is easy to create inter-operability problems by choosing
+cipher list. It is easy to create interoperability problems by choosing
 a non-default cipher list. Do not use a non-default TLS cipherlist for
 MX hosts on the public Internet. Clients that begin the TLS handshake,
 but are unable to agree on a common cipher, may not be able to send any
@@ -9652,8 +9652,9 @@ smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
 
 %PARAM smtpd_tls_dh512_param_file
 
-
     File with DH parameters that the Postfix SMTP server should
-use with export-grade EDH ciphers. 
    
+
     File with DH parameters that the Postfix SMTP server should use
+with export-grade EDH ciphers.  With Postfix ≥ 3.1 export cipher
+suites are by default disabled.  
    
 
 
     See also the discussion under the smtpd_tls_dh1024_param_file
 configuration parameter.  
    
@@ -10043,7 +10044,7 @@ postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
 
 
     Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
 cipher list. As this feature applies to all TLS security levels, it is easy
-to create inter-operability problems by choosing a non-default cipher
+to create interoperability problems by choosing a non-default cipher
 list. Do not use a non-default TLS cipher list on hosts that deliver email
 to the public Internet: you will be unable to send email to servers that
 only support the ciphers you exclude. Using a restricted cipher list
@@ -10950,7 +10951,7 @@ security are: 
    
 
    may
    
 
    Opportunistic TLS. Since sending in the clear is acceptable,
 demanding stronger than default TLS security merely reduces
-inter-operability. The optional "ciphers", "exclude" and "protocols"
+interoperability. The optional "ciphers", "exclude" and "protocols"
 attributes (available for opportunistic TLS with Postfix ≥ 2.6)
 override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and
 "smtp_tls_protocols" configuration parameters. When opportunistic TLS
@@ -11342,7 +11343,7 @@ destinations via smtp_tls_policy_maps. 
    
 
     Opportunistic TLS. Use TLS if this is supported by the remote
 SMTP server, otherwise use plaintext. Since
 sending in the clear is acceptable, demanding stronger than default TLS
-security merely reduces inter-operability.
+security merely reduces interoperability.
 The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6)
 configuration parameters provide control over the protocols and
 cipher grade used with opportunistic TLS.  With earlier releases the
@@ -11718,17 +11719,16 @@ one "medium" or "high" grade cipher. 
    
 
 
    
 
    export
    
-
     Enable "EXPORT" grade or stronger OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts, and is always
-used with opportunistic TLS encryption. The underlying cipherlist
-is specified via the tls_export_cipherlist configuration parameter,
-which you are strongly encouraged to not change. 
    
+
     Enable "EXPORT" grade or stronger OpenSSL ciphers.  The
+underlying cipherlist is specified via the tls_export_cipherlist
+configuration parameter, which you are strongly encouraged to not
+change.  This setting is insecure and SHOULD NOT be used.  
    
 
 
    low
    
-
     Enable "LOW" grade or stronger OpenSSL ciphers. The
-underlying cipherlist is specified via the tls_low_cipherlist
-configuration parameter, which you are strongly encouraged to
-not change. 
    
+
     Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
+cipherlist is specified via the tls_low_cipherlist configuration
+parameter, which you are strongly encouraged to not change.  This
+setting is insecure and SHOULD NOT be used.  
    
 
 
    medium
    
 
     Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit
@@ -11825,18 +11825,16 @@ on a per-destination basis. 
    
 
 
    
 
    export
    
-
     Enable "EXPORT" grade or better OpenSSL
-ciphers.  This is the default for opportunistic encryption. It is
-not recommended for mandatory encryption unless you must enforce TLS
-with "crippled" peers. The underlying cipherlist is specified via the
-tls_export_cipherlist configuration parameter, which you are strongly
-encouraged to not change. 
    
+
     Enable "EXPORT" grade or better OpenSSL ciphers.  The underlying
+cipherlist is specified via the tls_export_cipherlist configuration
+parameter, which you are strongly encouraged to not change.  This
+choice is insecure and SHOULD NOT be used.  
    
 
 
    low
    
-
     Enable "LOW" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
+
     Enable "LOW" grade or better OpenSSL ciphers.  The underlying
 cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. 
    
+parameter, which you are strongly encouraged to not change.  This
+choice is insecure and SHOULD NOT be used.  
    
 
 
    medium
    
 
     Enable "MEDIUM" grade or better OpenSSL ciphers.
@@ -11919,59 +11917,50 @@ attribute. See smtp_tls_policy_maps for notes and examples. 
    
 
 
     This feature is available in Postfix 2.3 and later. 
    
 
-%PARAM tls_high_cipherlist ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
+%PARAM tls_high_cipherlist see "postconf -d" output
 
-
     The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
-strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
-later the cipherlist may start with an "aNULL:" prefix, which restores
-the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
-list when they are enabled. This prefix is not needed with previous
-OpenSSL releases. 
    
+
     The OpenSSL cipherlist for "high" grade ciphers. This defines
+the meaning of the "high" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
+encouraged to not change this setting.  
    
 
 
     This feature is available in Postfix 2.3 and later. 
    
 
-%PARAM tls_medium_cipherlist ALL:!EXPORT:!LOW:+RC4:@STRENGTH
+%PARAM tls_medium_cipherlist see "postconf -d" output
 
-
     The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
-the default cipherlist for mandatory TLS encryption in the TLS
-client (with anonymous ciphers disabled when verifying server
-certificates). You are strongly encouraged to not change this
-setting.  With OpenSSL 1.0.0 and later the cipherlist may start with an
-"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
-aNULL ciphers to the top of the list when they are enabled. This prefix
-is not needed with previous OpenSSL releases. 
    
+
     The OpenSSL cipherlist for "medium" grade ciphers. This defines
+the meaning of the "medium" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers.  This is the
+default cipherlist for mandatory TLS encryption in the TLS client
+(with anonymous ciphers disabled when verifying server certificates).
+With Postfix ≥ 3.1 this is the default cipherlist for the
+opportunistic ("may") TLS client security level and also the default
+cipherlist for the SMTP server.  You are strongly encouraged to not
+change this setting.  
    
 
 
     This feature is available in Postfix 2.3 and later. 
    
 
-%PARAM tls_low_cipherlist ALL:!EXPORT:+RC4:@STRENGTH
+%PARAM tls_low_cipherlist see "postconf -d" output
 
-
     The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
-strongly encouraged to not change this setting.  With OpenSSL 1.0.0 and
-later the cipherlist may start with an "aNULL:" prefix, which restores
-the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
-list when they are enabled. This prefix is not needed with previous
-OpenSSL releases. 
    
+
     The OpenSSL cipherlist for "low" grade ciphers. This defines
+the meaning of the "low" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
+encouraged to not change this setting.  
    
 
 
     This feature is available in Postfix 2.3 and later. 
    
 
-%PARAM tls_export_cipherlist ALL:+RC4:@STRENGTH
+%PARAM tls_export_cipherlist see "postconf -d" output
 
-
     The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
-smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
-the cipherlist for the opportunistic ("may") TLS client security
-level and is the default cipherlist for the SMTP server. You are
-strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
-later the cipherlist may start with an "aNULL:" prefix, which restores
-the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
-list when they are enabled. This prefix is not needed with previous
-OpenSSL releases. 
    
+
     The OpenSSL cipherlist for "export" grade ciphers. This defines
+the meaning of the "export" setting in smtpd_tls_ciphers,
+smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
+lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers.  With Postfix
+≤ 3.0 this is the default cipherlist for the opportunistic ("may")
+TLS client security level and also the default cipherlist for the
+SMTP server. You are strongly encouraged to not change this setting.  
    
 
 
     This feature is available in Postfix 2.3 and later. 
    
 
@@ -12428,7 +12417,7 @@ only the SASL authentiCation ID (authcid) plus the authcid's password.
 
 
     The non-default setting "yes" enables the behavior of older
 Postfix versions.  These always send a SASL authzid that is equal
-to the SASL authcid, but this causes inter-operability problems
+to the SASL authcid, but this causes interoperability problems
 with some SMTP servers. 
    
 
 
     This feature is available in Postfix 2.4.4 and later. 
    
@@ -12480,7 +12469,7 @@ versions of Postfix ≥ 2.10 can explicitly disable support for
 "TLSv1.1" or "TLSv1.2"
    
 
 
     To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 even for opportunistic TLS set
+with a "!" character. To exclude SSLv2 for opportunistic TLS set
 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
 include, rather than protocols to exclude, is supported, but not
@@ -12511,7 +12500,7 @@ versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
 "TLSv1.2". 
    
 
 
     To include a protocol list its name, to exclude it, prefix the name
-with a "!" character. To exclude SSLv2 even for opportunistic TLS set
+with a "!" character. To exclude SSLv2 for opportunistic TLS set
 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
 include, rather than protocols to exclude, is supported, but not
@@ -12532,54 +12521,40 @@ parameter. See there for details. 
    
 
 
     This feature is available in Postfix 2.6 and later. 
    
 
-%PARAM smtp_tls_ciphers export
+%PARAM smtp_tls_ciphers see "postconf -d" output
 
-
     The minimum TLS cipher grade that the Postfix SMTP client
-will use with opportunistic TLS encryption. Cipher types listed in
+
     The minimum TLS cipher grade that the Postfix SMTP client will
+use with opportunistic TLS encryption.  Cipher types listed in
 smtp_tls_exclude_ciphers are excluded from the base definition of
-the selected cipher grade. The default value "export" ensures maximum
-inter-operability. Because encryption is optional, stronger controls
-are not appropriate, and this setting SHOULD NOT be changed unless the
-change is essential. 
    
+the selected cipher grade.  Starting with Postfix 3.1, the default
+value changes from "export" to "medium".  
    
 
 
     When TLS is mandatory the cipher grade is chosen via the
 smtp_tls_mandatory_ciphers configuration parameter, see there for syntax
 details. See smtp_tls_policy_maps for information on how to configure
 ciphers on a per-destination basis. 
    
 
-
     Example: 
    
-
    -smtp_tls_ciphers = export
-
    
-
 
     This feature is available in Postfix 2.6 and later. With earlier Postfix
 releases only the smtp_tls_mandatory_ciphers parameter is implemented,
 and opportunistic TLS always uses "export" or better (i.e. all) ciphers. 
    
 
-%PARAM smtpd_tls_ciphers export
+%PARAM smtpd_tls_ciphers see "postconf -d" output
 
-
     The minimum TLS cipher grade that the Postfix SMTP server
-will use with opportunistic TLS encryption. Cipher types listed in
+
     The minimum TLS cipher grade that the Postfix SMTP server will
+use with opportunistic TLS encryption.  Cipher types listed in
 smtpd_tls_exclude_ciphers are excluded from the base definition of
-the selected cipher grade. The default value "export" ensures maximum
-inter-operability. Because encryption is optional, stronger controls
-are not appropriate, and this setting SHOULD NOT be changed unless the
-change is essential. 
    
+the selected cipher grade.  Starting with Postfix 3.1, the default
+value changes from "export" to "medium".  
    
 
 
     When TLS is mandatory the cipher grade is chosen via the
 smtpd_tls_mandatory_ciphers configuration parameter, see there for syntax
 details. 
    
 
-
     Example: 
    
-
    -smtpd_tls_ciphers = export
-
    
-
 
     This feature is available in Postfix 2.6 and later. With earlier Postfix
 releases only the smtpd_tls_mandatory_ciphers parameter is implemented,
 and opportunistic TLS always uses "export" or better (i.e. all) ciphers. 
    
 
-%PARAM lmtp_tls_ciphers export
+%PARAM lmtp_tls_ciphers see "postconf -d" output
 
 
     The LMTP-specific version of the smtp_tls_ciphers configuration
 parameter. See there for details. 
    
@@ -14002,7 +13977,7 @@ this test the next time the client connects. 
    
 
 
     A mechanism to transform commands from remote SMTP clients.
 This is a last-resort tool to work around client commands that break
-inter-operability with the Postfix SMTP server.  Other uses involve
+interoperability with the Postfix SMTP server.  Other uses involve
 fault injection to test Postfix's handling of invalid commands.
 
    
 
@@ -14075,7 +14050,7 @@ feature: 
    
 
 
     A mechanism to transform replies from remote SMTP servers one
 line at a time.  This is a last-resort tool to work around server
-replies that break inter-operability with the Postfix SMTP client.
+replies that break interoperability with the Postfix SMTP client.
 Other uses involve fault injection to test Postfix's handling of
 invalid responses. 
    
 
@@ -14912,7 +14887,8 @@ for further details. 
    
 
 
     File with DH parameters that the Postfix tlsproxy(8) server
 should use with export-grade EDH ciphers. See smtpd_tls_dh512_param_file
-for further details.  
    
+for further details.  With Postfix ≥ 3.1 export cipher suites
+are by default disabled.  
    
 
 
     This feature is available in Postfix 2.8 and later. 
    
 
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index 7d027faf4..84595b8e5 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -567,7 +567,7 @@ static void check_legacy_defaults(void)
      * 
      * To turn off further warnings and deploy the new default settings, the
      * system administrator should update the compatibility_level setting as
-     * recommended in the RELASE_NOTES file.
+     * recommended in the RELEASE_NOTES file.
      * 
      * Each incompatible change has its own flag variable, instead of bit in a
      * shared variable. We don't want to rip up code when we need more flag
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 823fc0c85..223ca5f90 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1317,7 +1317,7 @@ extern char *var_smtpd_tls_proto;
 extern char *var_smtpd_tls_mand_proto;
 
 #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
-#define DEF_SMTPD_TLS_CIPH	"export"
+#define DEF_SMTPD_TLS_CIPH	"medium"
 extern char *var_smtpd_tls_ciph;
 
 #define VAR_SMTPD_TLS_MAND_CIPH	"smtpd_tls_mandatory_ciphers"
@@ -1464,9 +1464,9 @@ extern char *var_smtp_tls_CAfile;
 extern char *var_smtp_tls_CApath;
 
 #define VAR_SMTP_TLS_CIPH	"smtp_tls_ciphers"
-#define DEF_SMTP_TLS_CIPH	"export"
+#define DEF_SMTP_TLS_CIPH	"medium"
 #define VAR_LMTP_TLS_CIPH	"lmtp_tls_ciphers"
-#define DEF_LMTP_TLS_CIPH	"export"
+#define DEF_LMTP_TLS_CIPH	"medium"
 extern char *var_smtp_tls_ciph;
 
 #define VAR_SMTP_TLS_MAND_CIPH	"smtp_tls_mandatory_ciphers"
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index e1a8d2c2e..1f3f21b87 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -402,14 +402,14 @@
 /*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 /*	process requests from the \fBtlsmgr\fR(8) server in order to seed its
 /*	internal pseudo random number generator (PRNG).
-/* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "HIGH" grade ciphers.
-/* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
-/* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "LOW" or higher grade ciphers.
-/* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
+/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "high" grade ciphers.
+/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "medium" grade ciphers.
+/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "low" grade ciphers.
+/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "export" grade ciphers.
 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
 /*	The OpenSSL cipherlist for "NULL" grade ciphers that provide
 /*	authentication without encryption.
@@ -433,9 +433,9 @@
 /* .IP "\fBsmtp_tls_protocols (!SSLv2)\fR"
 /*	List of TLS protocols that the Postfix SMTP client will exclude or
 /*	include with opportunistic TLS encryption.
-/* .IP "\fBsmtp_tls_ciphers (export)\fR"
-/*	The minimum TLS cipher grade that the Postfix SMTP client
-/*	will use with opportunistic TLS encryption.
+/* .IP "\fBsmtp_tls_ciphers (see 'postconf -d' output)\fR"
+/*	The minimum TLS cipher grade that the Postfix SMTP client will
+/*	use with opportunistic TLS encryption.
 /* .IP "\fBsmtp_tls_eccert_file (empty)\fR"
 /*	File with the Postfix SMTP client ECDSA certificate in PEM format.
 /* .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR"
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index a8d55cc5a..4104d5200 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -79,7 +79,7 @@
 /* .ad
 /* .fi
 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
-/*	Enable inter-operability with remote SMTP clients that implement an obsolete
+/*	Enable interoperability with remote SMTP clients that implement an obsolete
 /*	version of the AUTH command (RFC 4954).
 /* .IP "\fBdisable_vrfy_command (no)\fR"
 /*	Disable the SMTP VRFY command.
@@ -284,7 +284,7 @@
 /*	Postfix SMTP client to a remote SMTP server.
 /*	See the SASL_README document for details.
 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
-/*	Enable inter-operability with remote SMTP clients that implement an obsolete
+/*	Enable interoperability with remote SMTP clients that implement an obsolete
 /*	version of the AUTH command (RFC 4954).
 /* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
 /*	Enable SASL authentication in the Postfix SMTP server.
@@ -378,8 +378,8 @@
 /*	File with DH parameters that the Postfix SMTP server should
 /*	use with non-export EDH ciphers.
 /* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
-/*	File with DH parameters that the Postfix SMTP server should
-/*	use with export-grade EDH ciphers.
+/*	File with DH parameters that the Postfix SMTP server should use
+/*	with export-grade EDH ciphers.
 /* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
 /*	File with the Postfix SMTP server DSA private key in PEM format.
 /* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
@@ -410,14 +410,14 @@
 /*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 /*	process requests from the \fBtlsmgr\fR(8) server in order to seed its
 /*	internal pseudo random number generator (PRNG).
-/* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "HIGH" grade ciphers.
-/* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
-/* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "LOW" or higher grade ciphers.
-/* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR"
-/*	The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
+/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "high" grade ciphers.
+/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "medium" grade ciphers.
+/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "low" grade ciphers.
+/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "export" grade ciphers.
 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
 /*	The OpenSSL cipherlist for "NULL" grade ciphers that provide
 /*	authentication without encryption.
@@ -433,9 +433,9 @@
 /* .IP "\fBsmtpd_tls_protocols (empty)\fR"
 /*	List of TLS protocols that the Postfix SMTP server will exclude
 /*	or include with opportunistic TLS encryption.
-/* .IP "\fBsmtpd_tls_ciphers (export)\fR"
-/*	The minimum TLS cipher grade that the Postfix SMTP server
-/*	will use with opportunistic TLS encryption.
+/* .IP "\fBsmtpd_tls_ciphers (see 'postconf -d' output)\fR"
+/*	The minimum TLS cipher grade that the Postfix SMTP server will
+/*	use with opportunistic TLS encryption.
 /* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
 /*	File with the Postfix SMTP server ECDSA certificate in PEM format.
 /* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
diff --git a/postfix/src/tls/tls_dh.c b/postfix/src/tls/tls_dh.c
index be126c9a1..3186fd2d9 100644
--- a/postfix/src/tls/tls_dh.c
+++ b/postfix/src/tls/tls_dh.c
@@ -87,44 +87,61 @@
 /* Application-specific. */
 
  /*
-  * Compiled-in EDH primes (the compiled-in generator is always 2). These are
-  * used when no parameters are explicitly loaded from a site-specific file.
-  * 
-  * 512-bit parameters are used for export ciphers, and 1024-bit parameters are
-  * used for non-export ciphers. An ~80-bit strong EDH key exchange is really
-  * too weak to protect 128+ bit keys, but larger DH primes are
-  * computationally expensive. When greater security is required, use EECDH.
+  * Compiled-in DH parameters.  Used when no parameters are explicitly loaded
+  * from a site-specific file.  Using an ASN.1 DER encoding avoids the need to
+  * explicitly manipulate the internal represenation of DH parameter objects.
+  *
+  * 512-bit parameters are used for export ciphers, and 2048-bit parameters are
+  * used for non-export ciphers.  The non-export group is now 2048-bit, as 1024
+  * bits is increasingly considered to weak by clients.  When greater security
+  * is required, use EECDH.
   */
 
- /*
-  * Generated via "openssl dhparam -2 -noout -C 512 2>/dev/null" TODO:
-  * generate at compile-time.
+ /*-
+  * Generated via:
+  *   $ openssl dhparam -2 -outform DER 512 2>/dev/null |
+  *     hexdump -ve '/1 "0x%02x, "' | fmt
+  * TODO: generate at compile-time.
   */
-static unsigned char dh512_p[] = {
-    0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
-    0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
-    0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
-    0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
-    0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
-    0x4F, 0x70, 0xBA, 0x5B,
+static unsigned char dh512_der[] = {
+    0x30, 0x46, 0x02, 0x41, 0x00, 0xd8, 0xbf, 0x11, 0xd6, 0x41, 0x2a, 0x7a,
+    0x9c, 0x78, 0xb2, 0xaa, 0x41, 0x23, 0x0a, 0xdc, 0xcf, 0xb7, 0x19, 0xc5,
+    0x16, 0x4c, 0xcb, 0x4a, 0xd0, 0xd2, 0x1f, 0x1f, 0x70, 0x24, 0x86, 0x6f,
+    0x51, 0x52, 0xc6, 0x5b, 0x28, 0xbb, 0x82, 0xe1, 0x24, 0x91, 0x3d, 0x4d,
+    0x95, 0x56, 0xf8, 0x0b, 0x2c, 0xe0, 0x36, 0x67, 0x88, 0x64, 0x15, 0x1f,
+    0x45, 0xd5, 0xb8, 0x0a, 0x00, 0x03, 0x76, 0x32, 0x0b, 0x02, 0x01, 0x02,
 };
 
- /*
-  * Generated via "openssl dhparam -2 -noout -C 1024 2>/dev/null" TODO:
-  * generate at compile-time.
+ /*-
+  * Generated via:
+  *   $ openssl dhparam -2 -outform DER 2048 2>/dev/null |
+  *     hexdump -ve '/1 "0x%02x, "' | fmt
+  * TODO: generate at compile-time.
   */
-static unsigned char dh1024_p[] = {
-    0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
-    0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
-    0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
-    0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
-    0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
-    0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
-    0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
-    0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
-    0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
-    0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
-    0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
+static unsigned char dh2048_der[] = {
+    0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbf, 0x28, 0x1b,
+    0x68, 0x69, 0x90, 0x2f, 0x37, 0x9f, 0x5a, 0x50, 0x23, 0x73, 0x2c, 0x11,
+    0xf2, 0xac, 0x7c, 0x3e, 0x58, 0xb9, 0x23, 0x3e, 0x02, 0x07, 0x4d, 0xba,
+    0xd9, 0x2c, 0xc1, 0x9e, 0xf9, 0xc4, 0x2f, 0xbc, 0x8d, 0x86, 0x4b, 0x2a,
+    0x87, 0x86, 0x93, 0x32, 0x0f, 0x72, 0x40, 0xfe, 0x7e, 0xa2, 0xc1, 0x32,
+    0xf0, 0x65, 0x9c, 0xc3, 0x19, 0x25, 0x2d, 0xeb, 0x6a, 0x49, 0x94, 0x79,
+    0x2d, 0xa1, 0xbe, 0x05, 0x26, 0xac, 0x8d, 0x69, 0xdc, 0x2e, 0x7e, 0xb5,
+    0xfd, 0x3c, 0x2b, 0x7d, 0x43, 0x22, 0x53, 0xf6, 0x1e, 0x04, 0x45, 0xd7,
+    0x53, 0x84, 0xfd, 0x6b, 0x12, 0x72, 0x47, 0x04, 0xaf, 0xa4, 0xac, 0x4b,
+    0x55, 0xb6, 0x79, 0x42, 0x40, 0x88, 0x54, 0x48, 0xd5, 0x4d, 0x3a, 0xb2,
+    0xbf, 0x6c, 0x26, 0x95, 0x29, 0xdd, 0x8b, 0x9e, 0xed, 0xb8, 0x60, 0x8e,
+    0xb5, 0x35, 0xb6, 0x22, 0x44, 0x1f, 0xfb, 0x56, 0x74, 0xfe, 0xf0, 0x2c,
+    0xe6, 0x0c, 0x22, 0xc9, 0x35, 0xb3, 0x1b, 0x96, 0xbb, 0x0a, 0x5a, 0xc3,
+    0x09, 0xa0, 0xcc, 0xa5, 0x40, 0x90, 0x0f, 0x59, 0xa2, 0x89, 0x69, 0x2a,
+    0x69, 0x79, 0xe4, 0xd3, 0x24, 0xc6, 0x8c, 0xda, 0xbc, 0x98, 0x3a, 0x5b,
+    0x16, 0xae, 0x63, 0x6c, 0x0b, 0x43, 0x4f, 0xf3, 0x2e, 0xc8, 0xa9, 0x6b,
+    0x58, 0x6a, 0xa9, 0x8e, 0x64, 0x09, 0x3d, 0x88, 0x44, 0x4f, 0x97, 0x2c,
+    0x1d, 0x98, 0xb0, 0xa9, 0xc0, 0xb6, 0x8d, 0x19, 0x37, 0x1f, 0xb7, 0xc9,
+    0x86, 0xa8, 0xdc, 0x37, 0x4d, 0x64, 0x27, 0xf3, 0xf5, 0x2b, 0x7b, 0x6b,
+    0x76, 0x84, 0x3f, 0xc1, 0x23, 0x97, 0x2d, 0x71, 0xf7, 0xb6, 0xc2, 0x35,
+    0x28, 0x10, 0x96, 0xd6, 0x69, 0x0c, 0x2e, 0x1f, 0x9f, 0xdf, 0x82, 0x81,
+    0x57, 0x57, 0x39, 0xa5, 0xf2, 0x81, 0x29, 0x57, 0xf9, 0x2f, 0xd0, 0x03,
+    0xab, 0x02, 0x01, 0x02,
 };
 
  /*
@@ -151,6 +168,15 @@ void    tls_set_dh_from_file(const char *path, int bits)
 	msg_panic("Invalid DH parameters size %d, file %s", bits, path);
     }
 
+    /*
+     * This function is the first to set the DH parameters, but free any prior
+     * value just in case the call sequence changes some day.
+     */
+    if (*dhPtr) {
+	DH_free(*dhPtr);
+	*dhPtr = 0;
+    }
+
     if ((paramfile = fopen(path, "r")) != 0) {
 	if ((*dhPtr = PEM_read_DHparams(paramfile, 0, 0, 0)) == 0) {
 	    msg_warn("cannot load %d-bit DH parameters from file %s"
@@ -166,24 +192,18 @@ void    tls_set_dh_from_file(const char *path, int bits)
 
 /* tls_get_dh - get compiled-in DH parameters */
 
-static DH *tls_get_dh(const unsigned char *p, int plen)
+static DH *tls_get_dh(const unsigned char *p, size_t plen)
 {
-    DH     *dh;
-    static unsigned char g[] = {0x02,};
+    const unsigned char *endp = p;
+    DH     *dh = 0;
 
-    /* Use the compiled-in parameters. */
-    if ((dh = DH_new()) == 0) {
-	msg_warn("cannot create DH parameter set: %m");	/* 200411 */
-	return (0);
-    }
-    dh->p = BN_bin2bn(p, plen, (BIGNUM *) 0);
-    dh->g = BN_bin2bn(g, 1, (BIGNUM *) 0);
-    if ((dh->p == 0) || (dh->g == 0)) {
-	msg_warn("cannot load compiled-in DH parameters");	/* 200411 */
-	DH_free(dh);				/* 200411 */
-	return (0);
-    }
-    return (dh);
+    if (d2i_DHparams(&dh, &endp, plen) && plen == endp - p)
+	return (dh);
+
+    msg_warn("cannot load compiled-in DH parameters");
+    if (dh)
+	DH_free(dh);
+    return (0);
 }
 
 /* tls_tmp_dh_cb - call-back for Diffie-Hellman parameters */
@@ -194,11 +214,11 @@ DH     *tls_tmp_dh_cb(SSL *unused_ssl, int export, int keylength)
 
     if (export && keylength == 512) {		/* 40-bit export cipher */
 	if (dh_512 == 0)
-	    dh_512 = tls_get_dh(dh512_p, (int) sizeof(dh512_p));
+	    dh_512 = tls_get_dh(dh512_der, sizeof(dh512_der));
 	dh_tmp = dh_512;
     } else {					/* ADH, DHE-RSA or DSA */
 	if (dh_1024 == 0)
-	    dh_1024 = tls_get_dh(dh1024_p, (int) sizeof(dh1024_p));
+	    dh_1024 = tls_get_dh(dh2048_der, sizeof(dh2048_der));
 	dh_tmp = dh_1024;
     }
     return (dh_tmp);