On 2017-04-19 13:33:13 (+0200), @lbutlr <krem...@kreme.com> wrote:
On 2017-04-13 (11:21 MDT), Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2,
RC5
I have these, but also LOW, EXPORT, and RC4. Are these not needed?
That depends on the versions of Postfix and OpenSSL on your system and
on how much you care about interoperability. While RC4-MD5 should no
longer be used for anything, there are still a lot of mailservers out
there that don't know any better. When you don't offer them RC4-MD5,
they will fall back to plain text. Even RC4-MD5 is better than that.
In general, you should probably leave this setting alone unless you have
a very specify reason to change it. And even then, you will likely be
better served with an entry in `smtp_tls_policy_maps` overriding the
default for a specific destination.
Philip
--
Philip Paeps
Senior Reality Engineer
Ministry of Information
