[Ach] Postfix 2.9.6 (Wheezy) & tls Compression

Lewis G Rosenthal lgrosenthal at 2rosenthals.com
Sun Mar 6 20:22:29 CET 2016

On 03/06/16 09:52 am, micah wrote:
> Lewis G Rosenthal <lgrosenthal at 2rosenthals.com> writes:
>> Hi...
>> On 03/06/16 09:02 am, micah wrote:
>>> Axel Huebl <axel.huebl at plasma.ninja> writes:
>>>> just wanted to correct a section in Postfix:
>>>> For 2.9.6 Wheezy (as described) the option
>>>>     tls_ssl_options = NO_COMPRESSION
>>> Since we are on this subject, why is this NO_COMPRESSION option
>>> suggested? There is no rationale for why this setting is there.
>>> The only issue with compression that I am aware of is CRIME, which is
>>> irrelevant for SMTP.
>> According to the postfix docs:
>>      Compression is CPU-intensive, and compression before encryption does not
>>      always improve security.
>> For performance reasons alone, and the lack of evidence to support that it
>> would add better security, it is best left disabled.
> Sure... but these recommendations are not about performance, if they
> were I would expect other recommendations to also appear.
> I dont think the clause 'compression before encryption does not always
> improve security' means that compression should be disabled to improve
> security.

I don't disagree, but Aaron's point is well taken. The idea is that there is 
no indication that compression makes things *safer* (better crypto), so in 
the absence of such evidence, it should probably be disabled.

Now, as to the wording of the above from the postfix docs, I suspect that 
again, the author chose to err on the side of caution, and I take the 
meaning to be that there is simply no compelling reason (better security or 
performance) to leave it enabled.

We'll see what comes of the current SHUTUP discussion.

Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies   see www.2rosenthals.com

More information about the Ach mailing list