-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2020-08-18 at 06:42 -0600, @lbutlr wrote: > > smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, > RC5 > smtp_tls_loglevel = 1
FWIW it is worth periodically reviewing the documentation for openssl and the ciphers it offers to maintain excluded cipher lists, and also set protocol lists. Personally I have: smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high smtp_tls_note_starttls_offer = yes smtp_tls_block_early_mail_reply = yes smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 TLSv1.2 TLSv1.3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 TLSv1.2 TLSv1.3 smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, KDH, SEED, aNULL, RC4, PSD, SRP, 3DES, RC2, aDSS, IDEA, kECDH, eNULL smtpd_tls_exclude_ciphers = MD5, DES, ADH, KDH, SEED, aNULL, RC4,PSD, SRP, 3DES, RC2, aDSS, IDEA, kECDH, eNULL smtp_tls_connection_reuse = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_tls_always_issue_session_ids = yes smtpd_tls_eecdh_grade = auto tls_preempt_cipherlist = yes tls_daemon_random_bytes = 64 tls_random_source = dev:/dev/urandom tls_random_bytes = 64 tls_random_reseed_period = 3600s tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_prng_update_period = 3600s tls_append_default_CA = no tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:!CAMELLIA128-SHA:!AES128-SHA (Some of which may also be deprecated/legacy) It's probably time I reviewed the cipherlist, but I have other things on my plate right now. - -- Nikolai Lusan Email: niko...@lusan.id.au Phone: 0425 661 620 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl89RjwACgkQ4ZaDRV2V L6SeJg/9HuehYiuG2Ebg8N46og3sJkgtzcsghr1pq3BpiABIiI3m9VKNfL+NAazl LvFbIB/9CTbKgCZKI2frnmKtBuDNoSEJ/Mdi6N8fmeRffeMzPu71UN7Kf9y7wWJE 905sEmYKLUaVy+uAj5cXRXExv7+Btv3tXEyNCK6YdHlTEslUzgRgPUYO9q/I5T88 nmGHAQY+yTPNYeP6NUo3mcL4lVNTKIbSnOhnx1aiSUApyy9i8fWgBNXl0JWYjOSO CNI7/DWD226ddT9AXh1c2LSOEc3IP5bww0eB2fCfPb48EZuA1juZFEDhx0FjCCqj zaRgEIPUEQsRCux5hQOrqUZDOuiBc7xyhlhyHoh718mmjeUh9UIJv+wnuVzYZ6s0 crFWOlR0gtMsny2oWk4JifFgu0w3so49mtRvyru0LllMZpJP4dVNucWknj9DTcQ7 iUBwsX5rj1cjYJ62GiR0OjR0d1dVn3ldjStiYo9WjDXXj6KqEcMTO04yMvxPl2G6 tcGmXJ1L1jwqo+RC+S6ixqyfDBs5rn5dv/MTwGQ7fDm8Av/I7nn7gK+LI7lMqPE2 segkXisPnnUM/0IJ2KPeDiUG9D7iMy6wiqjCiB6hjM0u8+8RxsiGrvQUx/FaQknf +kCM/LWXC6ULPn54juAqRTfOz1H8NfgV9jT9frf4KhGeq42Trzg= =pNPW -----END PGP SIGNATURE-----
