Hi,I did struggle alot to understand and deploy a secure cipher list that https://hardenize.com and https://ssl-tool.net would not complain on, so I came up with this:
smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_ciphers=high tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:AES256-SHA:CAMELLIA128-SHA:AES128-SHAsmtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA, CAMELLIA, SEED, 3DES, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, AES256-SHA, AES128-SHA
smtpd_tls_eecdh_grade=ultra tls_preempt_cipherlist = yes tls_eecdh_strong_curve = prime256v1 tls_eecdh_ultra_curve = secp384r1My question is, can I improve this futher or do you guys/girls have any opinion regarding this?
I am grateful for all comments, tips or other suggestions :) / Jonathan
smime.p7s
Description: S/MIME Cryptographic Signature
