On May 24, 2015, at 9:28 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote: > >>> smtpd_tls_protocols = !SSLv2, !SSLv3 >>> smtp_tls_protocols = !SSLv2, !SSLv3 >> >> Wouldn't the following be more secure: >> >> smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1 >> smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > > No, these are less secure. Bleeding edge security settings mean > more email sent in the clear, or not delivered at all. That is an excellent point. > >> I thought I saw that listed on this forum earlier this year. > > Don't believe all the nonsense posted on the Internet. Related to the previous paragraph, I know that when I fiddle with SSL settings on a web server, I can easily dig up information on exactly what OS/browser combinations Ill be denying service to (so far, XP + IE6). Having that confidence in knowing what possible visitors Im denying is nice. Is there any good reference for MTAs and MUAs out there? Im thinking of something like the matrix Qualsys shows in their test results. Whoever started this thread, thanks. Its always been a little fuzzy to me where OpenSSL and Postfix meet and decide which parameters are set by default (or arent available). Any future plans to incorporate other SSL libraries? Thanks, Charles > -- > Viktor.
