Re: [exim] Define preferred encryption algorithms

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Define preferred encryption algorithms
> On Oct 10, 2019, at 10:30 AM, jmedard--- via Exim-users <exim-users@???> wrote:
>
> More and more Internet security diagnostic tools (such as Immuniweb and
> Hardenize) specify that mail servers should be able to offer their preferred
> encryption algorithms. They consider it a security risk if the server must
> not be configured to select the best-available suite.


Some of these tools are developed by folks without a long
history of experience in TLS for SMTP, and who may not have
internalized the message of https://tools.ietf.org/html/rfc7435

In particular, with opportunistic TLS, it is more important to
interoperate than to set a high strict "floor" on TLS security.
The reason is that failure to negotiate common TLS parameters
often results in transmission in the clear as a fallback. Which
is hardly an improvement.

Therefore, resist the temptation to crank up security to 11,
and try to avoid being overly prescriptive in your cipher
choices. You can certainly disable the most obvious obsolete
ciphers that nobody uses anymore, but otherwise should generally
use the default settings of your TLS library.

That said, enabling server cipher preference is not unreasonable
for MTAs, and should be largely harmless.

If you feel you must specify the ciphers, with OpenSSL I
recommend:

    DEFAULT:!EXPORT:!LOW:!aDSS:!kECDH:!kDH:!MD5:!RC4:!3DES:!SEED:!RC2:!RC5:!IDEA


This does not exclude future strong ciphers by specifying only
a specific list of current candidates, by using the default list,
and only subtracting legacy ciphers that may still be enabled in
your library depending on how old it is.

  * !DSS - disable support for DSA certificates nobody uses
  * !kECDH - disable support "fixed ECDH" that lacks forward
    secrecy, is not and should not be used
  * !kDH - ditto for "fixed DH"
  * !MD5 - Just in case you somehow failed to disable SSLv2,
    disabling MD5 also disables all SSLv2 ciphers.
  * The rest are obsolete encryption algorithms that are
    almost never used.


In the case of RC4 and 3DES, it is possible that you'll break
TLS with a tiny fraction of peers. You could check your logs
for evidence of extant use after enabling server cipher preference,
and leaving these enabled initially to see whether they're still
needed for your mail traffic.

-- 
    Viktor.