Perfect Forward Secrecy is an important enhancement to SSL/TLS communications, helping prevent captured SSL traffic from being decrypted even if the attacker has the private key. It's easy enough to support in web servers, but it's also applicable to any other SSL context, such as in mail servers for SMTP, POP3 and IMAP.
This has recently (Sept 2014) come to a head in Germany, where data protection bodies have started inspecting and fining organisations that do not support PFS on their mail servers, along with heartbleed and poodle vulnerabilities. PFS support in web browsers is somewhat patchy, though all the major ones support it - but I'm looking for PFS compatibility info on mail servers and clients, ideally something like SSL Labs' handshake tests provide, but for mail servers.
Can anyone provide or point me at good sources for mail server PFS compatibility?
To clarify, I'm not looking to interrogate a specific server, but to see the results of such testing across a wide range of different servers, for example it would be useful to know that Outlook 2003 doesn't support ECDHE, or that Android 2 doesn't allow DH params of bigger than 2048 bits (I don't know if these are true, they're just examples). The benefit of this is to know that if I choose to disable some specific cipher, which clients is it likely to affect, just like the SSL labs tests show for web clients.
You don't need to restrict yourself to a specific cipher, but instead simply enable all ciphers which are acceptable to you and in the order you prefer them. The resulting cipher then will be negotiated between client and server depending on the supported ciphers on both sites. Don't restrict yourself unnecessary.
As for the ciphers typically used at the server side you might have a look at Quantifying the quality of TLS support where I've analyzed the TLS support for SMTP from the top 1M sites according to Alexa, which are about 600000 mail server with TLS enabled. According to my tests about 33% of the servers use ECDHE ciphers and 52% DHE ciphers, so that 85% use forward secrecy.
And for some more information about the ciphers used you will not find in the study here is a detailed list of ciphers negotiated when used with the DEFAULT cipher set of OpenSSL 1.0.1:
Please check the free script written by the firm where one of the highly qualified folks at Security SE works: https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/
If you want to do it slowly and by hand,
openssl
portmanteau toolset is very handy:From https://community.qualys.com/thread/12193:
openssl s_client -starttls smtp -crlf -connect YOUR_SMTP_SERVER:25
If you see DHE (Diffie-Hellmann Ephemeral) in the cipher suite, it's PFS.
From this post at Security SE
TLS_DHE_DSS_WITH_DES_CBC_SHA DHE-DSS-CBC-SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA TLS_DHE_RSA_WITH_DES_CBC_SHA DHE-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA