> On Mar 30, 2017, at 12:03 AM, Den1 <webmas...@lshipping.info> wrote:
>
>> smtp_tls_ciphers = medium
>> smtp_tls_exclude_ciphers =
>> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
>
> Why would you exclude these ciphers
Because:
* MD5 is weak, obsolete and unnecessary
* SRP and PSK require special code to use, and excluding these
is actually a NOOP, but makes clearer that they'll never be used.
* DSS is weak, obsolete and unnecessary
* The kECDH and kDH "fixed DH" algorithms should never have been added
to OpenSSL and were removed in OpenSSL 1.1.0. They are not needed.
* SEED, IDEA, RC2, and RC5 are are never used and are not needed.
* RC4 is weak and no longer needed.
Shorter cipherlists avoid some interoperability issues. Especially
with older Windows systems, but to interoperate with those you'd need
to leave RC4 enabled. Such systems have largely been replaced, you're
not likely to run into them.
> and make them medium, Louis?
The cipher grade in Postfix sets a "floor" on the ciphers used, that
is only medium or better. Nobody is "making them medium":
http://www.postfix.org/postconf.5.html#smtp_tls_ciphers
--
Viktor.
