hi On Sat, Jun 21, 2014, at 10:36 AM, Viktor Dukhovni wrote: > The *default* Postfix TLS cipherlist settings are chosen with care. > Best pracice is to leave them as-is. > > See also: > > http://www.postfix.org/FORWARD_SECRECY_README.html
Right. That's one of the specific documents I'd already referenced as having read in my OP. It's thorough, and to me, confusing. Which is exactly why I'm here asking. What, exactly, are the defaults -- as such, recommended -- that you reference? There are tons of variable rerferenced -- which one's documentation lists that list? > Best pracice is to leave them as-is. Yet, that same page states: "It is likely safe to set "smtp_tls_ciphers = medium" if you wish to disable the obsolete "export" and "low" grade ciphers even with opportunistic TLS." Is that a recommendation? In the context of this discussion, what happend if "smtp_tls_ciphers = medium" is set, and another server sends TO my server attempting one of those disabled 'obsolete "export" and "low" grade ciphers' ? Does the encryption fall back to plain/unencrypted? Grant
