On Mon, Jan 05, 2015 at 06:59:06PM +0100, li...@rhsoft.net wrote:
> >No, this is a bad idea, it is in fact 3DES that is broken with such servers
>
> Shouldn't we start to disable RC4 as well as DES-CBC3-SHA for that horrible
> outdated crap servers and fallback to unencrypted at all instead continue to
> work around them years again?
The goal of opportunistic TLS in Postfix is to deliver email with
as much and no more security than is available. There is no agenda.
With Postfix 2.12 such servers will receive mail (slightly delayed)
without manual intervention.
The number of domains that don't support either AES or CAMELLIA,
but do have working RC4 or 3DES is probably quite low. So if you
disable RC4, 3DES (and presumably all LOW and EXPORT ciphers) in
the SMTP client the impact should be small, but this should not be
necessary.
Gmail's outbound servers prefers RC4-SHA if offered by the SMTP
server, when Gmail drops RC4 support, these domains will finally
feel real pressure to either disable or fix their TLS stack.
--
Viktor.
