On Thu, Nov 15, 2012 at 01:04:21AM -0500,
thor...@lavabit.com wrote:
> > Do you really need a CA for your SMTP server certificate? Which
> > SMTP clients will trust this private CA?
>
> What do you mean by "SMTP clients"? Are you talking about software or
> people? I'm the only user of that machine. IIRC, it's possible to check
> certificates in Gnus, but I haven't tried yet.
Software that sends email via SMTP is an SMTP client. Any clients
that trust your private-label CA, could just as easily directly
trust the self-signed server certificate of your solitary server.
> > Better yet, don't bother with a CA if you don't need one.
>
> Hm, which steps [0] can be painlessly omitted? I thought that it's always
> necessary to have (or to be) a CA.
No, you don't need a dedicated root CA to sign a you server
certificate, your server certificate can just be self-signed, this
was covered quite a few messages ago, when you first started asking
about TLS.
openssl req -new -x509 ...
generates a self-signed certificate, you can just use that.
> > For modern clients that use EDH or ECDH
> > ciphers the certificate is not what protects the confidentiality
> > of the traffic (from passive eavesdropping attacks). It makes little
> > sense to waste CPU and risk server DoS with no upside.
>
> Does it mean that I should use ECDH if I want to prevent eavesdropping?
> Could you suggest a guide?
I am talking about the subset of SSL ciphers that use Diffie-Hellman
ephemeral key agreement, either the traditional variant that uses
the multiplicative group of integers modulo a prime, or the more
modern variant that uses the group of points on an elliptic curve
over a finite field.
Neither EDH or EECDH (key exchange) have any direct bearing on the
type of certificate you generate. You should however avoid crazy-large
RSA keys, because most of the protection comes from the key-exchange
algorithm. MITM attacks on your SMTP server are rare, and I bet
noone has ever attacked an SMTP server by cracking its 1024-bit
authentication key.
To enable EDH ciphers on the server side, see:
http://www.postfix.org/TLS_README.html#server_cipher
------ snip --------
To generate your own set of DH parameters, use:
% openssl gendh -out /etc/postfix/dh_512.pem -2 512
% openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
Support for elliptic curve cryptography is available with Postfix
2.6 and OpenSSL 0.9.9 or later. To enable ephemeral elliptic curve
Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade =
strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is
substantially more CPU intensive, and "strong" is sufficiently
secure for most situations.
Examples:
/etc/postfix/
main.cf:
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
------ snip --------
--
Viktor.