How to disable TLS_AES_128_GCM_SHA256 (or, how to set TLSv1.3 ciphers) in postfix
I have the following in my TLS configuration, but the only problem I have is that TLS_AES_128_GCM_SHA256
is a 128 bit cipher, and I would like to remove it:
smtpd_tls_eecdh_grade = ultra
smtp_tls_eecdh_grade = ultra
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, ARIA, RSA, AES128
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
And if I try to change tls_high_cipherlist
to somehow disable the TLSv1.3 cipher, I cannot:
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:!TLS_AES_128_GCM_SHA256
Adding !TLS_AES_128_GCM_SHA256
at the end doesn't work. How can I achieve this? Even if I add the required ciphers at the end, it won't work that way either.
I am able to do this on Apache by doing:
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
But, I couldn't find anything related to TLSv1.3 in postfix.
The TLSv1.2 Cipher suites that my server supports:
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 384 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 384 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
x9f DHE-RSA-AES256-GCM-SHA384 DH 4096 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS 1.3 has mandatory-to-implement cipher suites (RFC 8446, 9.1) you should not try and remove:
A TLS-compliant application MUST implement the
TLS_AES_128_GCM_SHA256
[GCM] cipher suite and SHOULD implement theTLS_AES_256_GCM_SHA384
[GCM] andTLS_CHACHA20_POLY1305_SHA256
[RFC8439] cipher suites (see Appendix B.4).A TLS-compliant application MUST support digital signatures with
rsa_pkcs1_sha256
(for certificates),rsa_pss_rsae_sha256
(for CertificateVerify and certificates), andecdsa_secp256r1_sha256
. A TLS-compliant application MUST support key exchange withsecp256r1
(NIST P-256) and SHOULD support key exchange withX25519
[RFC7748].
TLS 1.3 has already removed all weak cipher suites by design (RFC 8446, 1.2), so this is not something you should be worrying about.
Getting 100% from Qualys SSL Labs Server Test should not be your major goal. They have their own Rating Guide that specifies their scoring e.g. for Cipher Strength. They have decided that 128 bit ciphers are not worth 100%, and they do not make exceptions based on standards. However, it still gives an A+ grading.
Cipher strength Score 0 bits (no encryption) 0% < 128 bits (e.g., 40, 56) 20% < 256 bits (e.g., 128, 168) 80% = 256 bits (e.g., 256) 100%
Instead, you should be focusing on a suitable tradeoff between security and compatibility.