On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote:
> > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384;
> >
> > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers,
> > which are fine to use.
>
> From the OpenSSL man page:
> ---snip---
> aNULL
> The cipher suites offering no authentication. This is currently the
> anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites
> are vulnerable to "man in the middle" attacks and so their use is
> discouraged. These are excluded from the DEFAULT ciphers, but included in
> the ALL ciphers. Be careful when building cipherlists out of lower-level
> primitives such as kDHE or AES as these do overlap with the aNULL ciphers.
> When in doubt, include !aNULL in your cipherlist.
> ---snip---
That OpenSSL manpage is not aimed at opportunistic TLS, so is a poor fit
for SMTP STARTTLS. The Postfix TLS_README and postconf(5) manpage are
more fit for purpose.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
