On Thu, Jun 09, 2022 at 07:54:56PM +0200, Bastian Blank wrote:
> On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote:
> > [also there is
> > smtpd_tls_mandatory_exclude_ciphers =
> > aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES,
> > CBC3-SHA
> > but i definetely should put more care into this one!]
>
> Could you explain, why you exclude aNULL? Esp, as you seem to use if
> for non-mandatory settings as well?
Some people do it just to quiet red marks on misguided security scanner
scores. I actually recommend enabling aNULL, though the ability to do
that is still missing in TLS 1.3 (the crypto maximalists are winning):
https://datatracker.ietf.org/doc/html/rfc7672#section-8.2
with mandatory authenticated TLS aNULL ciphers are automatically
disabled in the Postfix SMTP client.
--
Viktor.
