On Sun, May 24, 2015 at 08:00:30PM +0200, DTNX Postmaster wrote:
> Assuming you are talking about the MSA (submission) and not MTA to MTA
> traffic, you can cover the vast majority of the scenarios with the
> following cipher selection string;
>
> EECDH+AES128:EECDH+AES256:EDH+AES128+SHA:RSA+AES+SHA:RSA+3DES:!DSS
Avoid overly explicit cipher selection strings. The good news is
that these are explicitly discouraged in Postfix documentation.
As I said before, it suffices to set:
# Optionally, add !SSLv3 if desired
smtpd_tls_protocols = !SSLv2
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aKRB5
# Optionally, add !SSLv3 if desired
smtp_tls_protocols = !SSLv2
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aKRB5
If you need to interoperate with Exchange 2003 SMTP servers, then
on the sending Postfix set the client cipher exclusions to:
smtp_tls_exclude_ciphers =
#
# Disable shared-secret, obsolete and exotic ciphersuites
#
SRP, PSK, MD5, aKRB5, aDSS, aECDH, aDH
#
# Also disable little used block ciphers,
# leaving just AES, CAMELLIA, RC4 and 3DES.
# (in the future also ChaCha20)
#
SEED, IDEA, RC2, RC5
--
Viktor.
