On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users
wrote:
> # grep tls main.cf | grep -vE '^#'
> smtp_tls_security_level = encrypt
> smtpd_tls_ask_ccert = yes
> smtpd_tls_CApath = $smtp_tls_CApath
Not generally applicable.
> smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
> smtp_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
> smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
> smtpd_tls_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1
Obsolete syntax.
> tls_random_source = dev:/dev/urandom
> smtpd_tls_eecdh_grade = auto
Best defaulted.
> smtp_tls_CApath = /etc/ssl/certs
Pointless except when the security level is "secure" (or "verify").
> tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384;
Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers,
which are fine to use.
> tls_preempt_cipherlist = yes
This is actually a reasonable setting for a change.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
