Am 08.08.2014 um 15:44 schrieb Eric H. Christensen: > On Fri, Aug 08, 2014 at 03:36:51PM +0200, Reindl Harald wrote: >> Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos: >>> Postfix is a different kind of beast though. It does not typically use >>> TLS, but uses some kind of opportunistic security that allows anonymous >>> ciphersuites. So it's a bit hard to enforce anything there, as >>> man-in-the-middle attacks are possible by design > >> and keep in mind in case of opportunistic TLS if you restrict >> ciphers and the SMTP client don't support what you offer it >> falls back to completly plaintext which defeats the intention > > Falling back to an insecure cipher only provides a false sense of security > which isn't any better than plaintext. that is nonsense - it would be good if people stop to confuse SMTP with HTTP - in case of SMTP there is no warning and dialog in front of a human * plaintext can read anybody * decrypt a "insecure cipher" needs time and knowledge you have no choice on the MTA side - you can't enforce encryption on a incoming MX and in case of opportunistic TLS you have *no chance* to defeat a MITM at all so the only thing you can do is make more harm by implicitly disable encryption at all for incoming mail which otherwise would have been encrypted that was discussed thousands of times on the postfix list and *please* if you don't agree talk on the postfix list, they guy which wrote most of the TLS code in postfix is the author of that below and explained it often enough http://tools.ietf.org/html/draft-dukhovni-smtp-opportunistic-tls-00 you *can not* enforce ciphers for opportunistic TLS - period because that is the nature of *opportunistic* whatever you try to enforce that way in defaults will come back as bugreport and howtos "first after you install Fedora on a MTA you need to change the following settings until it is useable as public MX"
Attachment:
signature.asc
Description: OpenPGP digital signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
