proposed text for crypto-policies in Packaging Guidelines
Reindl Harald
h.reindl at thelounge.net
Fri Aug 8 14:11:51 UTC 2014
Am 08.08.2014 um 15:44 schrieb Eric H. Christensen:
> On Fri, Aug 08, 2014 at 03:36:51PM +0200, Reindl Harald wrote:
>> Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
>>> Postfix is a different kind of beast though. It does not typically use
>>> TLS, but uses some kind of opportunistic security that allows anonymous
>>> ciphersuites. So it's a bit hard to enforce anything there, as
>>> man-in-the-middle attacks are possible by design
>
>> and keep in mind in case of opportunistic TLS if you restrict
>> ciphers and the SMTP client don't support what you offer it
>> falls back to completly plaintext which defeats the intention
>
> Falling back to an insecure cipher only provides a false sense of security
> which isn't any better than plaintext.
that is nonsense - it would be good if people stop to
confuse SMTP with HTTP - in case of SMTP there is
no warning and dialog in front of a human
* plaintext can read anybody
* decrypt a "insecure cipher" needs time and knowledge
you have no choice on the MTA side - you can't enforce
encryption on a incoming MX and in case of opportunistic
TLS you have *no chance* to defeat a MITM at all
so the only thing you can do is make more harm by
implicitly disable encryption at all for incoming
mail which otherwise would have been encrypted
that was discussed thousands of times on the postfix list and
*please* if you don't agree talk on the postfix list, they guy
which wrote most of the TLS code in postfix is the author of
that below and explained it often enough
http://tools.ietf.org/html/draft-dukhovni-smtp-opportunistic-tls-00
you *can not* enforce ciphers for opportunistic TLS - period
because that is the nature of *opportunistic*
whatever you try to enforce that way in defaults will come back as
bugreport and howtos "first after you install Fedora on a MTA you
need to change the following settings until it is useable as public MX"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/security/attachments/20140808/26a341e6/attachment.sig>
More information about the security
mailing list