> As some test suite recommendations might be harsher than what is practical I > thought I'd check with the people who actually work on Postfix. > > 1) some test sites say TLS 1.0 should be disabled for NIST compliance. Is > that recommended? What about 1.1?
The devices will negotiate the best possible encryption available to both. If you disable TLS 1.0 (or even SSL) you risk defaulting to plain text. (The definition of “best” in above is an open issue.) > 2) is there a page that has up-to-date recommendations on this and items like > cipher list settings from the Postfix maintenaners. Wietse and Viktor are very meticulous with the defaults. Unless you have some very specific requirements or knowledge, I doubt you will improve the security by changing the settings. -- Cheers Petri https://metis.fi/en/petri-en tel:+358400505939
smime.p7s
Description: S/MIME cryptographic signature
