Viktor Dukhovni wrote >> On Mar 30, 2017, at 12:03 AM, Den1 < > webmaster@
> > wrote: >> >>> smtp_tls_ciphers = medium >>> smtp_tls_exclude_ciphers = >>> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 >> >> Why would you exclude these ciphers > > Because: > > * MD5 is weak, obsolete and unnecessary > * SRP and PSK require special code to use, and excluding these > is actually a NOOP, but makes clearer that they'll never be used. > * DSS is weak, obsolete and unnecessary > * The kECDH and kDH "fixed DH" algorithms should never have been added > to OpenSSL and were removed in OpenSSL 1.1.0. They are not needed. > * SEED, IDEA, RC2, and RC5 are are never used and are not needed. > * RC4 is weak and no longer needed. > > Shorter cipherlists avoid some interoperability issues. Especially > with older Windows systems, but to interoperate with those you'd need > to leave RC4 enabled. Such systems have largely been replaced, you're > not likely to run into them. > >> and make them medium, Louis? > > The cipher grade in Postfix sets a "floor" on the ciphers used, that > is only medium or better. Nobody is "making them medium": > > http://www.postfix.org/postconf.5.html#smtp_tls_ciphers > > -- > Viktor. Appreciate your input, Viktor. Than you. -- View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake-failure-tp89684p89755.html Sent from the Postfix Users mailing list archive at Nabble.com.
