> On Apr 19, 2017, at 7:45 AM, Philip Paeps <phi...@trouble.is> wrote:
>
>>> smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
>>
>> I have these, but also LOW, EXPORT, and RC4. Are these not needed?
Reasonably current Postfix releases have "smtp_tls_ciphers = medium", which
already excludes LOW and EXPORT. As for RC4, I've not seen any RC4-only
systems for some time. I was thinking of removing RC4 in Postfix this
year, but given that it is being disabled at compile-time in the latest
OpenSSL, and that the bias in the first 256 bytes of output is not a major
issue for SMTP, I'm inclined to let RC4 fade away over time as users upgrade
OpenSSL.
--
Viktor.
