On Fri, Feb 17, 2017 at 12:44:35PM -0300, Daniel Bareiro wrote: Do not confuse opportunistic TLS in SMTP with browser to webserver TLS in HTTPS. In the name of improving security such settings make your MTA less secure. There are still many systems that can only do TLS 1.0 and not TLS 1.1 or TLS 1.2. Other systems may not support your rather narrow choice of ciphersuites.
In the absence of interoperable TLS capabilities, many systems will send you email in the clear. Is that an improvement? Other systems may not be able to send at all. See RFC7435. Postfix has sensible default TLS settings, despite what some clueless checklist may suggest. > So I think this would replace this lines of https://cipherli.st: > > ------------------------------------------------------------------ > smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_mandatory_ciphers = medium > tls_medium_cipherlist = AES128+EECDH:AES128+EDH > ------------------------------------------------------------------ Better yet, ignore that site and its counterproductive advice. > smtpd_use_tls=yes Obsolete legacy setting. > smtpd_tls_security_level = may (X) Its current replacement. > smtpd_tls_auth_only = yes > smtpd_tls_cert_file=/etc/ssl/postfix.cert > smtpd_tls_key_file=/etc/ssl/postfix.key Good. > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X) With Postfix 2.11 and later, session tickets (stored by the client) are preferred and a server-side cache is no longer recommended. Leave empty unless running an older Postfix version. -- Viktor.
