On 17 February 2017 at 14:43, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote: > Hi, > Here is how I am dealing with "weak ciphers" > You may be able to do the same type of config ? > > > In /etc/postfix/main.cf > > > # -ALF 2016-09-07 > # disable RC4 ciphers with TLS connections. > #smtpd_tls_exclude_ciphers = RC4, aNULL > # -ALF 2017-01-09 > # disable weak ciphers, and RC4 ciphers > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL > #-ALF 2107-01-09 > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, > EDH-RSA-DES-CBC3-SHA, RC4, aNULL > > > > -Angelo Fazzina > Operating Systems Programmer / Analyst > University of Connecticut, UITS, SSG, Server Systems > 860-486-9075 > > -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Daniel Bareiro > Sent: Friday, February 17, 2017 9:40 AM > To: Postfix users <postfix-users@postfix.org> > Subject: Strong Ciphers to use with Postfix > > Hi all! > > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. > > I would like to know what you think of the security settings suggested > here [1] for Postfix. > > I have tested it against this [2] site, but it seems that fails to > discard other ciphers; on "Weak ciphers" I get "supported > RSA_WITH_RC4_128_SHA". >
As I have learned from here, if your MTA is receiving from the world or sending to the world there is little point in enforcing super-strong ciphers on the corresponding connection (smtpd or smtp). If you refuse all unencrypted communication, and only permit super-strong ciphers, you may not be able to receive or send some emails, because not all (even genuine) MTAs will support this; but otherwise if you only permit super-strong ciphers you will just get more unencrypted communication. Of course it is usually pointless/unwise to permit broken ciphers, but these are anyway disabled by default in postfix.
