> On Dec 4, 2017, at 9:46 AM, Bastian Blank
> <bastian+postfix-users=postfix....@waldi.eu.org> wrote:
>
>>> smtpd_tls_mandatory_ciphers=high
>> This may be counter-productive. You're forcing peers that
>> only do RC4 to send in the clear instead. Probably not a
>> win, and with peers that can do HIGH ciphers, you get HIGH
>> anyway. On the other hand support for only RC4 or 3DES
>> (now medium in some newer OpenSSL versions) is rare, most
>> peers will support AES, and yet "medium" is still a better
>> choice for opportunistic TLS.
>
> How would the peer send anything unencrypted if the policy defines that
> TLS is mandatory?
Sorry, it is fine to set "smtpd_tls_mandatory_ciphers=high", that's
intended for port 587 where one would also set (in master.cf):
smtpd_tls_security_level=encrypt
--
Viktor.
