On 07.12.22 12:28, Alex wrote:
>smtp_tls_security_level = may
>smtpd_tls_security_level = may
>smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
>smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
On Thu, Dec 8, 2022 at 2:17 AM Matus UHLAR - fantomas <uh...@fantomas.sk>
wrote:
so, you don't enforce TLS on a server-server communication (correct), but
you disable tlsv1 and tlsv1.1 protocols.
This means, if you communicate with older server supporting up to TLS 1.1
or
1.0, communication will be unencrypted.
This does not make much sense - tls1.0 is better than plaintext.
On 10.12.22 16:48, Alex wrote:
I think I assumed there was a vulnerability, like there is with SSLv3, that
lead me to disable it.
Disabling sslv3 should be fine, I don't think any server available on the
internet supports sslv3 max.
But even if it did, there wouldn't be much benefit of plaintext connections.
Can I also ask if it's a security risk from an information disclosure
perspective to have multiple domains on the same letsencrypt cert?
No.
Each postfix instance I have configured processes mail for a number of
different domains, so it's possible a user could ascertain info about those
other clients by querying the cert directly.
Different certs are only needed when you use multiple server names, not when
different domains point to the same server name.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
