> On Jun 15, 2018, at 8:28 AM, micah anderson <mi...@riseup.net> wrote:
>
> In 2015, Viktor wrote an email detailing the current recommended TLS
> settings[0].
>
> Now that we are three years later, are these still the best settings? Is
> there something better we can be recommending?
>
> If anything, I think that 'smtp_tls_security_level = may' should be
> recommended (it actually should be *default*), but I'm wondering about
> the other recommended ciphers/protocols/excludes etc. as well.
There's nothing in that post that has yet been subject to much bitrot.
You could probably disable RC4 at this point, it is by default gone
as an SSL cipher from OpenSSL 1.1.0 and later, or leave it on for
interoperability with an tiny fraction of obsolete Windows 2003
systems.
I hope to modernize the OpenSSL supporting code this year, perhaps
I'll have new recommendations for Postfix 3.4 in 2019. The idea
will be to accommodate TLS 1.3, Ed25519, support SNI on the server
side, and on the client side also when not using DANE, ...
--
Viktor.
