On Sat, Apr 2, 2016 at 10:40 AM, Carl Byington <c...@five-ten-sg.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Sat, 2016-04-02 at 11:42 -0500, frnk...@iname.com wrote: > > Anyone aware of email servers that take the approach that CloudFlare > > has, which is not allow the lowest common denominator or cleartext to > > be used if there's a better/more-secure cipher, but still support the > > old stuff (in CloudFlare's case, SHA-1) if that's all it can do? > > > https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/ > > I think that is "server preference" for the cipher ordering. > > https://github.com/jvehent/cipherscan > > For example, gmail (on incoming mail) supports RC4-MD5 over ssl3, and > they also have the server control the cipher ordering. But please, why > do they prefer RC4-MD5/TLS1.2 over ECDHE-RSA-AES256-GCM-SHA384/TLSv1.2 > ?? I don't understand that. Google might know that the only clients that > ask for rc4-md5 don't support anything better. > > My notes say that Outlook 2011 on Mac OSx needs sslv3/rc4-sha. > > Sendmail with a modern openssl: > > LOCAL_CONFIG > dnl enable sslv3 on the server side for RC4-SHA > O CipherList=...whatever you want > O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE > O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 > > We support sslv3 on incoming connections, but not on outgoing > connections. > > Well, you can have two different policies for SMTP and SUBMISSION, where SUBMISSION needs to be a bit more relax to support all the clients out there, like Outlook 2011...
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
