Thanks a lot, that was a great answer - the most is clear now. Just a few things to clarify.
As much I understood, if I set the `*_security_level` to `may` then the `*_mandatory_ciphers` option is not even considered. Since the the mandatory is for mandatory TLS and we set opportunistic TLS with `may`. So I think it wont hurt to just let them on high, just to be sure? On the other hand the options for the smtp(d)_tls_ciphers are according to the README by default `export` but I think that medium should work out for me. Also can you somehow comment on how the list in smtp(d)_tls_exclude_ciphers came to be? For those I used e.g. I know that RC4 is vulnerable to BEAST attacks and SSL is also still insecure, similar to the other two. But for those you list I kind of cant make up an explanation. I've looked up that for some Microsoft Exchange Server with the corrupted 3DES there is only KC4 possible so even when I don't really like it I will let RC4 pass. Additionally can I somehow tell in which cases the mail would not be sent and in which it will just go back to plain text? That depends on the "how" TLS fails like you said would an explanation for that be possible? I talked to my boss and it is the biggest priority that everything very secure as long the trade-off is not too big. So it is fine if I can only talk to about 95% of the server *AS LONG* I get a clear indication that the transfer failed because no secure connection was possible. So a side question is whether such applications like Thunderbird will make a clear indication when sending the message was not possible? For those who only support plain text I'm ok with it being plain text (since there is nothing I can do). Basically I want to use crypto wherever I can and be sure that the best possible connection method is taken. With the `*_security_level` at `may` can I really be 100% sure that the best possible is taken? The way that my boss told me it felt like if there ever is a problem with the security - since usually very confidential data is sent - I will get a problem and a ratio of 95% acceptance is ok I understood. Best Regards, Akimiya -- View this message in context: http://postfix.1071664.n5.nabble.com/What-is-a-good-and-very-secure-configuration-for-public-postfix-server-nowadays-tp76918p76956.html Sent from the Postfix Users mailing list archive at Nabble.com.
