Am 05.01.2015 um 20:23 schrieb DTNX Postmaster:
On 05 Jan 2015, at 19:51, li...@rhsoft.net wrote:
Gmail's outbound servers prefers RC4-SHA if offered by the SMTP
server, when Gmail drops RC4 support, these domains will finally
feel real pressure to either disable or fix their TLS stack.
Gmail prefers ECDHE-RSA-AES256-SHA, and has for quite some time now, if
your inbound MTA supports and encourages it.
no true back in 2014/10
I sampled a few days in October, and they all show the same cipher as I
listed above, no others. This is with "tls_preempt_cipherlist = yes"
active, which we've had since for almost a year now
where you confirm that Gmain *do not* prefer ECDHE-RSA-AES256-SHA beause
otherwise "tls_preempt_cipherlist = yes" would not be needed
to my (now stripped) smtpd TLS settings:
* there are no delivery errors over months
* only 0.5% of client fall back to plain
* no security auditor or scanner complains any longer
