Postfix – How to Disable TLS_AES_128_GCM_SHA256 or Set TLSv1.3 Ciphers

cipherpostfixssl

I have the following in my TLS configuration, but the only problem I have is that TLS_AES_128_GCM_SHA256 is a 128 bit cipher, and I would like to remove it:

smtpd_tls_eecdh_grade = ultra
smtp_tls_eecdh_grade = ultra
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384

And if I try to change tls_high_cipherlist to somehow disable the TLSv1.3 cipher, I cannot:

tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:!TLS_AES_128_GCM_SHA256

Adding !TLS_AES_128_GCM_SHA256 at the end doesn't work. How can I achieve this? Even if I add the required ciphers at the end, it won't work that way either.

I am able to do this on Apache by doing:

SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

But, I couldn't find anything related to TLSv1.3 in postfix.

The TLSv1.2 Cipher suites that my server supports:

 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 384   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 384   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 4096    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Best Answer

TLS 1.3 has mandatory-to-implement cipher suites (RFC 8446, 9.1) you should not try and remove:

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see Appendix B.4).

A TLS-compliant application MUST support digital signatures with rsa_pkcs1_sha256 (for certificates), rsa_pss_rsae_sha256 (for CertificateVerify and certificates), and ecdsa_secp256r1_sha256. A TLS-compliant application MUST support key exchange with secp256r1 (NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].

TLS 1.3 has already removed all weak cipher suites by design (RFC 8446, 1.2), so this is not something you should be worrying about.

Getting 100% from Qualys SSL Labs Server Test should not be your major goal. They have their own Rating Guide that specifies their scoring e.g. for Cipher Strength. They have decided that 128 bit ciphers are not worth 100%, and they do not make exceptions based on standards. However, it still gives an A+ grading.

Cipher strength Score

0 bits (no encryption) 0%

< 128 bits (e.g., 40, 56) 20%

< 256 bits (e.g., 128, 168) 80%

= 256 bits (e.g., 256) 100%

Cipher strength	Score
0 bits (no encryption)	0%
< 128 bits (e.g., 40, 56)	20%
< 256 bits (e.g., 128, 168)	80%
= 256 bits (e.g., 256)	100%

Instead, you should be focusing on a suitable tradeoff between security and compatibility.

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Ssl – How to force a own set of ciphers in Postfix 2.11

From Applied Crypto Hardening by bettercrypto.org:

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

[UPDATE: As the bettercrypto project, where I have the cipher-string from, is no longer active, make sure to chose your cipher-string from a current source.]

For master.cf you may want to configure the submission port to TLS only:

submission inet n - - - - smtpd
 -o smtpd_tls_security_level=encrypt
 -o tls_preempt_cipherlist=yes

However, this does not disallow usage of outdated ciphers for security level may, according to pull request #97, you can do this with:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

But this has not been merged with the following reason:

I am going to close this, SSLv3 makes sense here since it's better than good ol' plaintext.

Best Answer

Related Solutions

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Ssl – How to force a own set of ciphers in Postfix 2.11

Related Topic