On 13.11.2016 21:33, Viktor Dukhovni wrote: > On Sun, Nov 13, 2016 at 08:42:19AM +0100, Juri Haberland wrote:
>> Just go with the tips from BetterCrypto.org - as the site above suggests, >> too. > > Better yet, stick with the Postfix defaults, they were chosen with > care to be appropriate for MTA to MTA SMTP. Avoid the vast majority > of howto guides, they are often inapplicable or poorly informed or > both. > > Sites like BetterCrypto.org are focused on other problem spaces. > Opportunistic TLS for SMTP is very different from mandatory TLS > for HTTPS. They do differentiate between settings for MTA-to-MTA transfers vs. settings for MUA connections: > Postfix has five internal lists of ciphers, and the possibility to switch > between those with smtpd_tls_ciphers. > However, we leave this at its default value for server to server connections, > as many mail servers > only support outdated protocols and ciphers. We consider bad encryption still > better than plain > text transmission. For connections to MUAs, TLS is mandatory and the > ciphersuite is modified. Juri
