On Sat, Aug 14, 2021 at 10:47:08AM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> > On 14 Aug 2021, at 1:15 am, raf <post...@raf.org> wrote: > > > > According to the hardenize.com security bingo site, > > they get a green box for their mail server TLS, even > > though they support TLSv1.0 (yellow), because they > > don't support anonymous ciphers (red). If they were > > supporting anonymous ciphers, it would get a > > yellow/amber box overall. > > > > https://www.hardenize.com/report/rhenus.com > > I should ping Ivan Ristic and ask him to change that policy. It > is counterproductive. See: > > https://datatracker.ietf.org/doc/html/rfc7672#section-8.2 That would be good. He might listen to you. Any reduction in silly security theatre in the world is welcome. > If you're not obligated by some regulatory requirement to have "green" > checkmarks from a counterproductively strict TLS stack audit, leave > "aNULL" ciphers enabled when doing unauthenticated opportunistic TLS. > > Slinging unused certificates around adds nothing to your security. I suppose being anti-anonymous ciphers makes sense for the web, and then they misapplied that stance to mail. > > Anonymous ciphers would be supported by default. > > Postfix supports these by default, most other applications do not, > as they're not part of the "DEFAULT" cipherlist in OpenSSL. Thanks. > > So maybe they stopped supporting them. > > Perhaps they did explicitly turn off "aNULL", or they're not using Postfix. It's probably more likely that they're not using Postfix. Then the theory becomes: They did nothing. :-) > -- > Viktor. cheers, raf
