Re: proposed text for crypto-policies in Packaging Guidelines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 08.08.2014 um 15:44 schrieb Eric H. Christensen:
> On Fri, Aug 08, 2014 at 03:36:51PM +0200, Reindl Harald wrote:
>> Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
>>> Postfix is a different kind of beast though. It does not typically use
>>> TLS, but uses some kind of opportunistic security that allows anonymous
>>> ciphersuites. So it's a bit hard to enforce anything there, as
>>> man-in-the-middle attacks are possible by design
> 
>> and keep in mind in case of opportunistic TLS if you restrict
>> ciphers and the SMTP client don't support what you offer it
>> falls back to completly plaintext which defeats the intention
> 
> Falling back to an insecure cipher only provides a false sense of security 
> which isn't any better than plaintext.

that is nonsense - it would be good if people stop to
confuse SMTP with HTTP - in case of SMTP there is
no warning and dialog in front of a human

* plaintext can read anybody
* decrypt a "insecure cipher" needs time and knowledge

you have no choice on the MTA side - you can't enforce
encryption on a incoming MX and in case of opportunistic
TLS you have *no chance* to defeat a MITM at all

so the only thing you can do is make more harm by
implicitly disable encryption at all for incoming
mail which otherwise would have been encrypted

that was discussed thousands of times on the postfix list and
*please* if you don't agree talk on the postfix list, they guy
which wrote most of the TLS code in postfix is the author of
that below and explained it often enough
http://tools.ietf.org/html/draft-dukhovni-smtp-opportunistic-tls-00

you *can not* enforce ciphers for opportunistic TLS - period
because that is the nature of *opportunistic*

whatever you try to enforce that way in defaults will come back as
bugreport and howtos "first after you install Fedora on a MTA you
need to change the following settings until it is useable as public MX"





Attachment: signature.asc
Description: OpenPGP digital signature

--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux