-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sat, 2016-04-02 at 11:42 -0500, frnk...@iname.com wrote: > Anyone aware of email servers that take the approach that CloudFlare > has, which is not allow the lowest common denominator or cleartext to > be used if there's a better/more-secure cipher, but still support the > old stuff (in CloudFlare's case, SHA-1) if that's all it can do?
> https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ I think that is "server preference" for the cipher ordering. https://github.com/jvehent/cipherscan For example, gmail (on incoming mail) supports RC4-MD5 over ssl3, and they also have the server control the cipher ordering. But please, why do they prefer RC4-MD5/TLS1.2 over ECDHE-RSA-AES256-GCM-SHA384/TLSv1.2 ?? I don't understand that. Google might know that the only clients that ask for rc4-md5 don't support anything better. My notes say that Outlook 2011 on Mac OSx needs sslv3/rc4-sha. Sendmail with a modern openssl: LOCAL_CONFIG dnl enable sslv3 on the server side for RC4-SHA O CipherList=...whatever you want O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 We support sslv3 on incoming connections, but not on outgoing connections. > I think most would agree it's better to accept receiving email from > Exchange servers using RC4 than clear text, but that we should be > aiming for TLSv1.1 or greater. I agree. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlcAA+gACgkQL6j7milTFsHBvQCfdPhgBJZ5/bXWLrAd88VQOMQQ SuMAn0xdPr0+9AdMvSpttd48PbK6v6E+ =GRa9 -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
