On Mon, Dec 04, 2017 at 09:24:48AM -0500, Viktor Dukhovni wrote:
> > smtpd_tls_mandatory_ciphers=high
> This may be counter-productive. You're forcing peers that
> only do RC4 to send in the clear instead. Probably not a
> win, and with peers that can do HIGH ciphers, you get HIGH
> anyway. On the other hand support for only RC4 or 3DES
> (now medium in some newer OpenSSL versions) is rare, most
> peers will support AES, and yet "medium" is still a better
> choice for opportunistic TLS.
How would the peer send anything unencrypted if the policy defines that
TLS is mandatory? And for smtpd you can not have mandatory TLS for port
25 anyway.
Bastian
--
A princess should not be afraid -- not with a brave knight to protect her.
-- McCoy, "Shore Leave", stardate 3025.3
