On Fri, May 22, 2015 at 04:08:44AM -0700, Akimiya wrote:
> > There was a discussion on this list not too long ago about
> > appropriate settings for exclude ciphers.
>
> I was not able to find it by looking for combinations of "exclude" and
> "ciphers" and similar. Do you by chance still have the title or a link to
> it?
The most compact form that leaves the good stuff in place, and
trims the "fat" is:
# Avoid "export" and "low" cipher suites.
#
smtp_tls_ciphers = medium
smtpd_tls_ciphers = medium
# Avoid obsolete protocol versions
#
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
# Avoid Exchange 2003 interop problems, by using only mainstream ciphers
#
smtp_tls_exclude_ciphers =
#
# Disable MD5, DSA, SRP and PSK, and the "exotic" fixed DH cipher
suites.
#
MD5, aDSS, SRP, PSK, aECDH, aDH,
#
# Also disable the largely unused SEED, IDEA, RC2, RC5, ...
# leaving just AES, CAMELLIA, RC4 and 3DES.
#
SEED, IDEA, RC2, RC5
--
Viktor.
