On 15/6/2022 3:08 am, Viktor Dukhovni wrote:
Increasing security is primarily about raising the *ceiling*, and rarely about raising not floor. When you set the bar too high, instead of greater security, mail is sent in the clear or not at all.https://datatracker.ietf.org/doc/html/rfc7435 Mostly you should leave crypto policy to OpenSSL and Postfix defaults, and customise as little as possible. Most of the "hardening" advice you'll find is counter-productive to downright harmful.
I like the explaination using ceiling and floor. Very easy for me to understand.
Noted on leaving crypto policys on defaults. Lesson learnt. P.V.Anthony
