On Thu, Feb 05, 2015 at 10:23:10PM +0100, li...@rhsoft.net wrote:
> Am 05.02.2015 um 22:00 schrieb SW:
> >smtpd_tls_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4
>
> disable DES *and* RC4 is pure nonsense because it leads in some servers not
> able to send mail to you at all and way more fall back to plain as needed
Yes, I would not disable 3DES, it has held up fairly well, and even
RC4 is largely good enough for opportunsitic TLS. Once you disable
MD5, (which is fine in practice) there's no need to disable DES+MD5.
The eNULL ciphers are disabled by default, and there no need to
disable aNULL on servers, you just lose information that way (you
no longer know which clients manifestly ignore your certificate,
which they still do even if one is forced down their throat).
So a more rational setting along these lines would be:
smtpd_tls_exclude_ciphers = LOW, EXPORT, MD5
which is sensible largely because it is pointless (no clients use
these), but it looks better to auditors.
--
Viktor.
