Re: Regarding ciphers

Thu, 23 Nov 2017 06:44:24 -0800 

Thanks both Allen and Dirk :)
The ciphers should be supported by many server because thoose are used by TLS1.0 to 1.2. So I think they should be fine. I hope :) I did not get some real criticism yet about some stupid ciphers so I consider my current one OK. 


Regarding Allen's suggestion about PGP/GPG. I already use s/MIME as you 
probably can see in email clients like Thunderbird, Outlook and Evolution.


/J


On 11/23/2017 02:15 PM, Dirk Stöcker wrote:

On Thu, 23 Nov 2017, Jonathan Sélea wrote:


I did struggle alot to understand and deploy a secure cipher list 
that https://hardenize.com and https://ssl-tool.net would not 
complain on, so I came up with this:


smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_ciphers=high

tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:AES256-SHA:CAMELLIA128-SHA:AES128-SHA 

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, 
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, 
CBC3-SHA, CAMELLIA, SEED, 3DES, AES128-GCM-SHA256, AES256-GCM-SHA384, 
AES128-SHA256, AES256-SHA256, AES256-SHA, AES128-SHA

smtpd_tls_eecdh_grade=ultra
tls_preempt_cipherlist = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1


My question is, can I improve  this futher or do you guys/girls have 
any opinion regarding this?

I am grateful for all comments, tips or other suggestions :)



Nothing gets older faster that cipher specifications. Usually it is 
the best to use a recent version of the SSL libraries and don't change 
the specs. The defaults incorporate the most recent developments.



If SSLv2, SSLv3 and RC4 are still supported by default on your system 
instead of tuning the specs an update of the software is recommended.



P.S. You always need to keep in mind that you will fallback to 
plaintext, so a bad cipher is (usually) better than none.


Ciao






Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to