On Tue, Mar 02, 2010 at 04:04:29PM -0500, Alex wrote:
> >> It's not
> >> possible to figure out which ciphers are offered to TLS clients on my
> >> server?
> >
> > It is possible, but you will most likely shoot yourself in the foot if
> > you try to use this information to adjust Postfix settings.
> >
> > The Postfix defaults are chosen carefully, and act a barrier between
> > shotgun and foot. What real problem are you trying to solve.
>
> Well, I'm now really just trying to better understand what it all
> means. I'm sure to think I could do a better job than postfix itself
> would be a mistake.
Postfix selects sensibly strong protocols and ciphers for opportunistic
and mandatory TLS respectively.
> Where did postfix get the information to make its decision?
The documentation is in TLS_README.html
The OpenSSL library implements a (powerful, but fragile) cipher selection
language. Postfix uses the OpenSSL cipher selection language with care to
implement less flexible, but more robust/intuitive cipher "grade" levels
and selects the grade automatically based on the destination policy.
> I don't
> see how it put together that chain of encryption and authentication to
> build the tunnel.
Avoiding all temptation to tweak the underlying SSL details and work
with the higher level Postfix interface:
http://www.postfix.org/TLS_README.html#client_tls_limits
http://www.postfix.org/TLS_README.html#client_tls_levels
http://www.postfix.org/TLS_README.html#client_tls_may
http://www.postfix.org/TLS_README.html#client_tls_encrypt
http://www.postfix.org/TLS_README.html#client_tls_secure
http://www.postfix.org/TLS_README.html#client_tls_policy
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
