Postfix 3.7+ custom DH params discouraged on OpenSSL 3

[wolegis]

See https://www.postfix.org/postconf.5.html section smtpd_tls_dh1024_param_file

With Postfix ≥ 3.7, built with OpenSSL version is 3.0.0 or later, if the parameter value is either empty or "auto", then the DH parameter selection is delegated to the OpenSSL library, which selects appropriate parameters based on the TLS handshake. This choice is likely to be the most interoperable with SMTP clients using various TLS libraries, and custom local parameters are no longer recommended when using Postfix ≥ 3.7 built against OpenSSL 3.0.0.

[gstrauss]

Included in #256 is a change for Postfix 3.7+ and OpenSSL 3.0.0+

[janbrasna]

"custom local parameters are no longer recommended"

Well, I believe they mean random arbitrary params, those are def not recommended — but I see no mention of that option being deprecated or anything alike — it's still perfectly fine to use it and provide the safe primes as we do now.

I'd much rather control the groups than leave that to RFC 7919 negotiation allowing mozilla/server-side-tls#299 bad performance:/

EDIT: Ah, okay, sane defaults here, luckily: https://www.postfix.org/postconf.5.html

tls_ffdhe_auto_groups (default: see "postconf -d" output)

The prioritized list of finite-field Diffie-Hellman ephemeral (FFDHE) key exchange groups supported by the Postfix SMTP client and server. OpenSSL 3.0 adds support for FFDHE key agreement in TLS 1.3. In OpenSSL 1.1.1, TLS 1.3 was only supported with elliptic-curve based key agreement. The "tls_ffdhe_auto_groups" parameter makes it possible to configure the list of FFDHE groups that the Postfix client or server will enable in OpenSSL 3.0 and up. This parameter has no effect when Postfix is built against earlier OpenSSL versions.

The default list of FFDHE groups that Postfix enables in OpenSSL 3.0 and up includes just the 2048 and 3072-bit groups. Stronger FFDHE groups perform poorly and EC groups are a much better choice for the same security level. Postfix ignores group names that are unknown to OpenSSL, or that are known but not yet implemented. The FFDHE groups are largely a backup, in case some peer does not support EC key exchange, or EC key exchange needs to be disabled for some pressing reason.

So no need to set, the defaults are reasonably small. (And, eventually can be set empty to disallow FFDHE for TLSv1.3 if deemed necessary in the future, or as a pattern for OpenSSL 3.x compatibility in #256?)

[gstrauss]

Scope of #256 has been reduced. Given that postfix is documented to enable only 2048 and 3072-bit groups for FFDHE for TLSv1.3, we may choose to switch postfix to use DH auto selection (recently removed from PR #256), though not if we choose to disable all FFDHE groups fro TLSv1.3.

[gstrauss]

http://www.postfix.org/FORWARD_SECRECY_README.html

FFDHE Server support

Postfix ≥ 3.1 supports 2048-bit-prime FFDHE out of the box, with no additional configuration. You can also generate your own FFDHE parameters, but this is not necessary and no longer recommended. See the quick-start section for details.

Postfix ≥ 3.8 supports the finite-field Diffie-Hellman ephemeral (FFDHE) key exchange group negotiation API of OpenSSL ≥ 3.0. FFDHE groups are explicitly negotiated between client and server starting with TLS 1.3. In earlier TLS versions, the server chooses the group unilaterally. The list of candidate FFDHE groups can be configured via "tls_ffdhe_auto_groups", which can be used to select a prioritized list of supported groups (most preferred first) on both the server and client. The default list is suitable for most users. Either, but not both of "tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" may be set empty, disabling either EC or FFDHE key exchange in OpenSSL 3.0 with TLS 1.3. That said, interoperability will be poor if the EC curves are all disabled or don't include the most widely used curves.

As @janbrasna noted, the default tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072 in Postfix 3.8 and later is a prudent default and protects against DHEater attacks attempted for TLSv1.3 key exchange with larger ffdhe groups.

With Postfix 3.7 with OpenSSL 3.x+, DH parameter selection is delegated to the OpenSSL library, which means that for TLSv1.2 where DHE_* ciphers are included, the DHEater attack may be viable, so I think it fine to continue for ssl-config-generator to recommend explicitly setting smtpd_tls_dh1024_param_file to downloaded file of ffdhe2048 (for intermediate config)

Therefore, there is no current action to be taken on this issue and I will mark it closed.

---

BTW, current Postfix version is 3.9.0.
Versions of Postfix earlier than 3.6.0 are end-of-life and no longer supported by Postfix.

Given that "Postfix ≥ 3.1 supports 2048-bit-prime FFDHE out of the box, with no additional configuration", that should inform us that the Old ssl-config-generator configuration which uses a 1024-bit prime is very, very, very dated. Postfix 3.0 -- the version series before 3.1 -- reached end-of-life Feb 2019 (!)