Whoops, I fully intended to audit the available ciphers; clearly I missed doing that. Should be OK now.
Tragically, PFS is not (yet) supported on the TLS mechanism I am making use of. I hope to be able to change that in the somewhat near future. -----Original Message----- From: Tim Bray [mailto:t...@kooky.org] Sent: Friday, April 01, 2016 5:58 AM To: Kirk MacDonald <kirk.macdon...@corp.eastlink.ca>; mailop@mailop.org Subject: Re: [mailop] Gmail red open padlock composing message On 31/03/16 17:38, Kirk MacDonald wrote: > With thanks to Google for pushing the cause, I implemented STARTTLS > functionality on my org’s MX (as well as outbound SMTP with > opportunistic STARTTLS). Firstly - well done for doing it. Everybody should be enabling TLS. Did you test the install? You have TLS, but there are some issues with your setup: https://ssl-tools.net/mailservers/corp.eastlink.ca So you need to disable the RC4 cipher. Everybody suggests it is insecure. Also you don't support the correct ciphers for Perfect Forward Secrecy. I'm not sure whether this affects whether google shows the padlock or not. Best practice is to get it fixed. I think ssl-tools.net is the best test for TLS mailservers. You can test your mail sending as well. For webservers, use https://www.ssllabs.com/ssltest/ to test. There is also a tool to help make good configs at https://mozilla.github.io/server-side-tls/ssl-config-generator/ What I've realised over the last year or so is that SSL/TLS isn't something you can just fiddle with until it works. If you want it secure, across all browsers, it needs some work. https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ is an excellent book. Tim _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
