On 25 May 2015, at 01:57, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Sun, May 24, 2015 at 08:00:30PM +0200, DTNX Postmaster wrote: > >> Assuming you are talking about the MSA (submission) and not MTA to MTA >> traffic, you can cover the vast majority of the scenarios with the >> following cipher selection string; >> >> EECDH+AES128:EECDH+AES256:EDH+AES128+SHA:RSA+AES+SHA:RSA+3DES:!DSS > > Avoid overly explicit cipher selection strings. The good news is > that these are explicitly discouraged in Postfix documentation. > > As I said before, it suffices to set: > > # Optionally, add !SSLv3 if desired > smtpd_tls_protocols = !SSLv2 > smtpd_tls_ciphers = medium > smtpd_tls_exclude_ciphers = aKRB5 > > # Optionally, add !SSLv3 if desired > smtp_tls_protocols = !SSLv2 > smtp_tls_ciphers = medium > smtp_tls_exclude_ciphers = aKRB5 > > If you need to interoperate with Exchange 2003 SMTP servers, then > on the sending Postfix set the client cipher exclusions to: > > smtp_tls_exclude_ciphers = > # > # Disable shared-secret, obsolete and exotic ciphersuites > # > SRP, PSK, MD5, aKRB5, aDSS, aECDH, aDH > # > # Also disable little used block ciphers, > # leaving just AES, CAMELLIA, RC4 and 3DES. > # (in the future also ChaCha20) > # > SEED, IDEA, RC2, RC5 > > -- > Viktor. I am talking about the MSA here, Viktor, not MTA to MTA traffic. That's what the previous poster was asking about; > Is there any good reference for MTAs and MUAs out there? Im > thinking of something like the matrix Qualsys shows in their > test results. Mvg, Joni
