On 02.03.2010 06:09, Alex wrote: > What encryption/cipher/key length, session key options, etc, choices > should I be making if I were to do this today?
That is dificult to say without knowing what you are trying to protect, your threat model etc. If in doubt, go with the defaults. > Under what circumstances would you want to choose only TLSv1 and not > SSLv3 and TLSv1? AFAIK, differences between TLSv1 and SSLv3: * Expansion of cryptographic keys from the initially exchanged secret was improved * MAC construction mechanism modified into an HMAC * Mandatory support for Diffie-Hellman key exchange, the Digital Signature Standard, and Triple-DES encryption In practice, not much of a difference. > Many of the HOWTOs and guides out there that I could find all pertain > to older versions of postfix. Any word on when Ralph will be updating > his book? :-) Is there a book you could recommend that covers > SSLv3/TLSv1 and later versions of postfix? http://www.postfix.org/TLS_README.html Do not change the defaults without understanding the implications. Postfix defaults are not chosen randomly. -- Eray
