[Ach] Postfix 2.9.6 (Wheezy) & tls Compression

Aaron Zauner azet at azet.org
Sun Mar 6 17:22:31 CET 2016

* micah <micah at riseup.net> [06/03/2016 15:03:13] wrote:
> Axel Huebl <axel.huebl at plasma.ninja> writes:
> > just wanted to correct a section in Postfix:
> >
> > For 2.9.6 Wheezy (as described) the option
> >
> >   tls_ssl_options = NO_COMPRESSION
> Since we are on this subject, why is this NO_COMPRESSION option
> suggested? There is no rationale for why this setting is there.
> The only issue with compression that I am aware of is CRIME, which is
> irrelevant for SMTP.

There is currently the same discussion ins the IETF's SMTP and
SHUTUP mailing lists: https://goo.gl/Ro9sgW. They're discussing a
new data compression extension. I'm against that, see thread.
There's also BREACH and a team that's working on new attacks and
I've seen CRIME work on non-HTTPS application layer protocols in the
past. That being said; yea, I'm not sure how to do it for mail
protocols either, but - at least for BetterCrypto - we've always
colletively decided to be on the safe side and disable compression
in all of our recommendations.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20160306/0d81bbf1/attachment.sig>

More information about the Ach mailing list