On Tue, Mar 02, 2010 at 02:42:37PM -0500, Alex wrote:
> > Postfix settings are documented in postconf(5). Unless you are an SSL
> > expert who understands OpenSSL source code in detail, you really should
> > not change the default settings, and generally don't need to know what
> > they are.
>
> So is it at OpenSSL compile time that the ciphers would be specified
> and determined whether or not to make them available to Postfix?
Largely yes, but this sounds like the wrong question. What real problem
are you trying to solve?
> Then when postfix is built, it is able to interpret at that time how to
> integrate and make available the ciphers provided to it by OpenSSL?
>
> > to smtp.mydomain.com TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
>
> The 168/168 is a reference to the session key, correct? Configured for
> tlsmgr at run-time?
No.
> > The remote system or your OpenSSL library or both do not support AES.
>
> Okay, can I draw the conclusion that the cipher shown is the
> "strongest" available on either the remote or local system?
Yes, the strongest supported by both subject to the preference order of
the server or the client at the server's discretion.
> It's not
> possible to figure out which ciphers are offered to TLS clients on my
> server?
It is possible, but you will most likely shoot yourself in the foot if
you try to use this information to adjust Postfix settings.
The Postfix defaults are chosen carefully, and act a barrier between
shotgun and foot. What real problem are you trying to solve.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
