Even with level encrypt the certificates are **NOT** verified which means anyonymous chiphers are still used.
To verfiy peer certificates see: http://www.postfix.org/TLS_README.html#client_tls_verify. Or configure postfix smtp server to enforce clients to present a cert: http://www.postfix.org/postconf.5.html#smtpd_tls_req_ccert But to use "encrypt" on a public smtp server or enforce clients to present certificates on such systems will lead to the fact that you won't be receiving mails from servers which do not support TLS or do not use a matching chipher Am 31.07.2017 um 22:55 schrieb robg...@nospammail.net: > I'm reading about ciphers. > > Here > > "why use "aNULL:!aNULL:" in Postfix default cipherlists?" > > http://postfix.1071664.n5.nabble.com/why-use-quot-aNULL-aNULL-quot-in-Postfix-default-cipherlists-td83301.html > > It talks about using anonymous ciphers when TLS policy is opportunistic == > may. > > I get that. > > If instead you use MANDATORY tls policy, == encrypt, do you need to redefine > the cipherlist to REMOVE that "aNull:-aNull"? > > Rob >
