On Sat, Jun 21, 2014 at 10:49:17AM -0700, grantksupp...@operamail.com wrote:
> > See also: > > > > http://www.postfix.org/FORWARD_SECRECY_README.html > > Right. That's one of the specific documents I'd already referenced as > having read in my OP. It's thorough, and to me, confusing. Which is > exactly why I'm here asking. The Postfix default settings are chosen with care, and changing them without making things worse rather than better requires significant expertise. It is best to not make any changes in the cipher settings, except in specific policy-table work-arounds for problems with specific domains. > What, exactly, are the defaults -- as such, recommended -- that you > reference? There are tons of variable rerferenced -- which one's > documentation lists that list? The best advice I can give you is to move on to other things to improve. These aren't the droids you're looking for. > "It is likely safe to set "smtp_tls_ciphers = medium" if you wish to > disable the obsolete "export" and "low" grade ciphers even with > opportunistic TLS." > > Is that a recommendation? No. Just a bone to throw to people who feel compelled to change something. > In the context of this discussion, what happend if "smtp_tls_ciphers = > medium" is set, and another server sends TO my server attempting one of > those disabled 'obsolete "export" and "low" grade ciphers' ? Does the > encryption fall back to plain/unencrypted? Well, the setting in question is an output setting, and you're talking about input. So the question makes no sense. However, were you then to connect to a server that supports only weak ciphersuites, your server would fall back to cleartext delivery. I repeat, these aren't the droids you're looking for. -- Viktor.
