> Therefore, after "CHACHA20:-CHACHA20" the CHACHA20 ciphers are at
> the top of the enabled+unselected cipher stack. And then after
> "aNULL:-aNULL" the "aNULL" ciphers are at the top of the stack.
That's what I it took. I was thinking of it in a literal order, not
necessarily a pop'd/push'd stack
Thanks.
> I am assuming you are now wiser
You know what they say about assumptions.
But, I hope so!
> how much you don't yet know about cipherlists... :-)
It LOOKS simple when you first look at in the docs.
> > So how DO you make sure that a specific cipher is ALWAYS used if it's
> > available?
>
> You list the preferred category first.
Which now makes more sense in stack-think.
> I strongly recommend against
> listing individual explicit cipher names. Later there will be
> better key exchange algorithms, better hashes, ...
Yeah I noticed you used just 'CHACHA20', which I guess is the group name? Or
is that still just an abbreviated, explicit cipher name?
I've been using the full/explicit cipher name so far because I havent found the
right doc that lists the group name (CHACHA20) that includes it.
> The best way to future-proof a non-default cipherlist is to use
> preferences for particular features
I do that already between internal machines.
> and not hardcode specific individual ciphers. Even better, let the library
> maintainers
> construct a sensible cipherlist, and avoid being a crypto fashionista.
> :-) Of course with paying cliets, they get what they ask and pay for if they
> are not interested in advice on what to do.
Yep. There's a bunch of clients in the customer chain. They all agreed on
project standards long before I got invovled. We've got enough problems with
the meat of the project without stirring their pot at this point on "just mail".
> > > Google is presenting a certificate that
> > > chains to a locally trusted CA. You must have configuned a non-empty
> > > "smtp_tls_CAfile" or "smtp_tls_CApath".
> I recommend an empty setting here. Tastes great, less filling.
Ok. So if the docs say
Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
the system-supplied default Certification Authority certificates.
Specify "tls_append_default_CA = no" to prevent Postfix from appending
the system-supplied default CAs and trusting third-party certificates.
and I set
smtp_tls_CApath =
tls_append_default_CA = no
Then it
won't ONLY use sys default CA certs
will PREVENT appending sys default CA certs
won't TRUST (and/or use?) 3rd party certs
So what exactly IS it gonna do?
