On Thu, Mar 03, 2016 at 09:03:55AM -0600, Blake Hudson wrote: > Viktor Dukhovni wrote on 3/1/2016 11:16 AM: > > # Suggested, not strictly needed: > > # > > smtpd_tls_exclude_ciphers = > > EXPORT, LOW, MD5, SEED, IDEA, RC2 > > smtp_tls_exclude_ciphers = > > EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 > > > > I noticed your exclude list seems a bit more conservative than others > (SSLLabs, digicert for example). Would you recommend also excluding aNULL > ciphers?
No. Postfix does that automatically, when authentication is used. For (typically also opportunistic) unauthenticated encryption there is little point in disabling aNULL, and some forensic advantage in doing so. http://tools.ietf.org/html/rfc7672#section-8.2 > Including aNULL in the exclude list removes the _anon_ ciphers from the > server's available ciphers. For little gain. Clients that want to authenticate the server will not use aNULL ciphersuites. Many of the (Postfix) ones that don't authenticate, will use aNULL and the server's log will reflect this in the ciphersuite name (ADH-... or AECDH-...). -- Viktor.