To be RFC compliant port 25 must accept MTA to MTA connections with no
encryption.
When another server can't connect with encryption, it will try without.
Allowing weak ciphers is better than the result where ciphers are not
used because the other server only supports older ciphers in my opinion.
Hopefully DANE will largely solve this, as we can instruct our mail
servers when the other server has a TLSA record to only connect using a
strong cipher and not connect at all otherwise.
I'm hoping eventually that becomes standard where every mail server MUST
use TLSA records but I don't know if that will ever happen.
On 11/08/2015 04:52 AM, John Allen wrote:
I ran the ssl-tools tests on my mail server.
Everything seems to be OK, *BUT* it reports that i am using a weak
cipher "ECDHE_RSA_WITH_RC4_128_SHA"!
So I sat down and googled - postfix/dovecot/apache - ciphers
suites/recommendations less than one year old.
I gave up at about the fifteenth response. Everyone of them was
different and gave me lists of cipher ranging in length from about eight
to almost a full web page.
Would somebody point me in the right direction. I am trying to make my
installation secure, but manageable.
