On Mon, Jun 06, 2011 at 11:30:59PM +0200, mouss wrote:
> > If I use postfix with TLS (and courier-imap with TLS) the SASL
> > password and IMAP password are visibe in plain text?
>
> No. the purpose of TLS is to encrypt traffic, including passwords.
Sure.
> that said, you need to configure your TLS/SSL servers to only accept
> "non weak" exchanges. for example, only use SSL v3 and TLS v1 (and not
> SSL v2), for encryption, use keys with length > 100 and block length >
> 100 (whenever possible, use AES128), ... etc.
Just disable SSLv2, the rest takes care of itself, as an MITM cannot
alter the SSLv3 or TLSv1 handshake, and thus unless the client is
grossly misconfigured, there is no need to dive into the weeds to disable
potentially weak ciphers.
A simple way to get stronger ciphers is:
http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
provided no clients offer low-priority ciphers that they can't actually
use. Test before broad deployment.
--
Viktor.
