Bastien Durel: > Hello, > > I have a setup where a MTA will forward mail to another node, based on > ldap configuration. > It works well, but it uses ADH > > Received: from corrin.geekwu.org (unknown [87.98.180.13]) > (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) > (No client certificate requested) > by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D > for <bast...@geekwu.org>; Thu, 6 Jul 2017 01:52:53 +0200 (CEST) > > I know I should not disable ADH on public interface, but I'd like to > prevent it on "private" interface (intra-cluster only), as "cluster" > nodes does communicate over Internet. > > the private interface is defined in master.cf: > 26 inet n - - - - smtpd > -o smtpd_client_restrictions=permit_mynetworks,reject > -o syslog_name=postfix/cluster > -o smtpd_milters= > -o check_policy_service= > > but I did not succeed in fixing cipher for this interface (something > like -osmtpd_tls_ciphers=ECDH+AES does not work ...)
RTFM? As documented, smtpd_tls_ciphers takes a grade (such as 'medium' or 'export'). See 'smtpd_tls_mandatory_ciphers' for the full list. http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers > Is there a way to do that ? The above links refer to, among other things, http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers This has an example for excluding anonymous ciphers. Wietse
