Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update TLS Protocols, TLS Ciphers and ECDH curves for SMTP #45

Open
psychofaktory opened this issue Feb 17, 2022 · 3 comments
Open

Update TLS Protocols, TLS Ciphers and ECDH curves for SMTP #45

psychofaktory opened this issue Feb 17, 2022 · 3 comments

Comments

@psychofaktory
Copy link

As test tools show, this area should be adjusted somewhat:
https://www.hardenize.com/report/duqued.net/1644785601#email_tls
https://tls.imirhil.fr/smtp/duqued.net
https://www.immuniweb.com/ssl/central.duqued.net/KK1XjNVd/

TLSv1.0 and TLSv1.1 should be disabled, the used Cipher-Suites and ECDH curves and their order should be reviewed, so that the server meets the current security standards.
I have found a recommendation for this here:
https://ciphersuite.info/cs/?tls=tls12&security=recommended&software=openssl&sort=desc&singlepage=true

I found a description for the required adjustments here:
https://the-digital-native.de/?p=26

The tests also indicate that the nginx configuration of the web server could still be improved:
https://securityheaders.com/?q=central.duqued.net&hide=on&followRedirects=on
@ddavness
Copy link
Owner

I am a bit reluctant in dropping <TLSv1.2 (at least by default) just yet. Unlike web browsers that get new versions relatively quickly and where old versions not supporting new protocols are dropped almost as soon as they are considered obsolete, some mail servers might still be running legacy software that doesn't support TLSv1.2. MIAB (and by consequence this fork, too) even supports mail to be sent or received in the clear if the other side doesn't support encryption.

According to Google, a chunk of the mail is still delivered in plaintext: https://transparencyreport.google.com/safer-email?hl=en

This said, there are some parameters that can for sure be improved without compromising compatibility too much. I'll be looking into that in the following days :)

@psychofaktory
Copy link
Author

Thanks for this!
The greatest possible compatibility should of course remain guaranteed. But MIAB has always stood for authenticity and security. Especially this great fork I see as a pioneer regarding modern standards.
I think a compromise should be found here.

Holding on to old standards for compatibility reasons ultimately only leads to a slow decline in their spread globally.

An example for commercial and very common mail service providers with modern standards are:
gmail.com
posteo.de

ddavness added a commit that referenced this issue Feb 18, 2022
@ddavness
Update Postfix TLS configuration (#45)
4da6f66 
* Update the list of very old ciphers that shouldn't be used at all
* Enforce cipher preference server side
@ddavness
Copy link
Owner

Not a lot, essentially I've updated the list of very old cipher suites that shouldn't even be used at all and enabled the server suite preference (i.e. the server picks the cipher algorithm), but that should bring it a bit closer to what you're aiming for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ddavness @psychofaktory