On Wed, Oct 25, 2017, at 06:45 AM, Matus UHLAR - fantomas wrote: > > postconf -n | grep smtpd | grep tls | grep ciphers > > smtpd_tls_ciphers = medium > > smtpd_tls_mandatory_ciphers = medium > > this looks like you only accept medium grade ciphers ... so no high grade. > That means, Petri was right about "hardening". use "medium, high"
What do you mean by "That means, Petri was right about "hardening". use "medium, high"" ? At http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers for smtpd_tls_mandatory_ciphers (default: medium) it says medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit or longer symmetric bulk-encryption keys. This is the default minimum strength for mandatory TLS encryption. The underlying cipherlist is specified via the tls_medium_cipherlist configuration parameter, which you are strongly encouraged to not change. and for smtpd_tls_ciphers (default: medium) it says The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade. The default value is "medium" for Postfix releases after the middle of 2015, "export" for older releases. For both parameters, a value of 'medium' is (1) a "miniumum strength" (2) *includes* high. (3) is the default Why use 'medium, high' ? Dave
