On Sat, Apr 9, 2016, at 01:16 PM, Viktor Dukhovni wrote:
> Is it bad that you can board a bus without having a passport?
Since you're going to torture me with a metaphor ;-) I'll answer :
It depends.
But I DO know that dutifully skimming the scum off the top of a pot of boiling
stock DEFINITELY results in a cleaner broth.
(now my head hurts)
> The anonymous ciphers are not "bad", with
>
> smtp_tls_security_level = may
>
> all ciphers are effectively anonymous.
I think this may be where I'm confusing myself. Since (from other thread) I'm
looking at whether or not I should -- or can, in today's world -- be using
smtp_tls_security_level = must
smtpd_tls_security_level = must
Yeah I know one frequent answer is "just leave the Postfix defaults in place",
but then you don't actually learn /understanding anything.
> Your bus ride is no safer
> when some or all of the passengers bring their passports on board
> and wave them in the air as they board the bus.
Well, at least then you can see their hands! ;-p
> TLS combines multiple cryptographic primitives:
cryptographic primitives?
(mathematicians with spears?)
> * Bulk data encryption (medium excludes algorithms weaker than
> 3-DES and 128-bit RC4)
> * Data integrity (SHA1, SHA2, ... MACs or AEAD)
> * Key Exchange (RSA key transport, DHE, ECDHE, ...)
> * Authentication (Web PKI certificates, PSK, ...)
>
> The aNULL ciphers leave out authentication, and make sense for
> opportunistic TLS when you're otherwise willing to send cleartext.
>
> http://www.postfix.org/TLS_README.html#client_tls_levels
> http://www.postfix.org/TLS_README.html#client_tls_limits
> http://www.postfix.org/TLS_README.html#client_tls_may
> https://tools.ietf.org/html/rfc7435
Like I said, I really need to reread all this stuff. It makes sens to you,
obviously, but afaict you WRITE this stuff!
Thanks
Jason
