RC4 is a conundrum, it is about the only cypher you can negotiate with old MS-Exchange, so if you disable it, then the email will go in clear text. Which one is better? Clear text or RC4? Or too bad for old mail servers?
PFS or Elliptic ciphers are asymmetric in implementation, so you need to check what's negotiated as a sender and as a receiver. Finally it seems some systems do not fall back anymore, if you initiate STARTTLS and can't negotiate it, then you can't send email in clear text. And then look at SMTP STS On Fri, Apr 1, 2016 at 6:00 AM, Kirk MacDonald < kirk.macdon...@corp.eastlink.ca> wrote: > Whoops, I fully intended to audit the available ciphers; clearly I missed > doing that. Should be OK now. > > Tragically, PFS is not (yet) supported on the TLS mechanism I am making > use of. I hope to be able to change that in the somewhat near future. > > > -----Original Message----- > From: Tim Bray [mailto:t...@kooky.org] > Sent: Friday, April 01, 2016 5:58 AM > To: Kirk MacDonald <kirk.macdon...@corp.eastlink.ca>; mailop@mailop.org > Subject: Re: [mailop] Gmail red open padlock composing message > > On 31/03/16 17:38, Kirk MacDonald wrote: > > With thanks to Google for pushing the cause, I implemented STARTTLS > > functionality on my org’s MX (as well as outbound SMTP with > > opportunistic STARTTLS). > > > Firstly - well done for doing it. Everybody should be enabling TLS. > > Did you test the install? > > You have TLS, but there are some issues with your setup: > > https://ssl-tools.net/mailservers/corp.eastlink.ca > > So you need to disable the RC4 cipher. Everybody suggests it is insecure. > > Also you don't support the correct ciphers for Perfect Forward Secrecy. > > > I'm not sure whether this affects whether google shows the padlock or > not. Best practice is to get it fixed. > > I think ssl-tools.net is the best test for TLS mailservers. You can > test your mail sending as well. > > > For webservers, use https://www.ssllabs.com/ssltest/ to test. There is > also a tool to help make good configs at > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > What I've realised over the last year or so is that SSL/TLS isn't > something you can just fiddle with until it works. If you want it > secure, across all browsers, it needs some work. > > https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ is an > excellent book. > > > Tim > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
