Le 06/06/2011 23:53, Victor Duchovni a écrit : > On Mon, Jun 06, 2011 at 11:30:59PM +0200, mouss wrote: > >>> If I use postfix with TLS (and courier-imap with TLS) the SASL >>> password and IMAP password are visibe in plain text? >> >> No. the purpose of TLS is to encrypt traffic, including passwords. > > Sure. > >> that said, you need to configure your TLS/SSL servers to only accept >> "non weak" exchanges. for example, only use SSL v3 and TLS v1 (and not >> SSL v2), for encryption, use keys with length > 100 and block length > >> 100 (whenever possible, use AES128), ... etc. > > Just disable SSLv2, the rest takes care of itself, as an MITM cannot > alter the SSLv3 or TLSv1 handshake, and thus unless the client is > grossly misconfigured, there is no need to dive into the weeds to disable > potentially weak ciphers.
The french gov has authored some docs (called RGS) which certainly don't say "that foo is bad", but say "this bar is ok". unfortunately, most people will only read the "easy part" and will skip the argument/rationale part. as a result, we have the choice between saying "we do it like it's written" and "it's not explicitely written in the RGS, but it's ok because...". obviously, the first approach is less costly. PS. I am intereseted to know about - other European "recommendations", and - non-european "recommendations" > > A simple way to get stronger ciphers is: > > http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist > > provided no clients offer low-priority ciphers that they can't actually > use. Test before broad deployment. >