SEMI-OT: Prohibiting RC4 Cipher Suites

Viktor Dukhovni ietf-dane at
Fri Feb 20 20:15:40 CET 2015

On Fri, Feb 20, 2015 at 08:01:09PM +0100, Andreas Fink wrote:

> > How about support (as a fallback) for older clients? How "safe" (no pun
> > intended) is it to disable as of today?
> Its simple:  fallback = a MITM attacker can force fallback = youre pwned...

Depends on what one  one means by "fallback".  When RC4 is enabled
at a low preference MITM attackers cannot re-order the handshake
without invalidating the TLS "finished" message.

I should be noted that, occasional bilateral security arrangements
aside, MTA to MTA SMTP is generally vulnerable to MiTM attacks
regardless of whether RC4 is enabled or not.

With DANE, SMTP client MTAs can also authenticate servers for which
no prior security settings exist, and in *that* case we have a
fairly MiTM resistant protocol.

In Postfix for peers that publish TLSA RRs, the "mandatory" TLS
protocol, cipher and exclusion lists apply.

By all means, try:

    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtp_tls_mandatory_exclude_ciphers = RC4

If there are any domains that publish TLSA records for an SMTP
server that is capable only of legacy crypto, both they and I will
be surprised.


More information about the dane-users mailing list