On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote:
I still have no problems with
smtpd_tls_mandatory_protocols = >=TLSv1.2
This is fine, so long as you don't have a user that can't support at
least TLSv1.2 that needs to use submission.
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
This will simply result in clients that can't support at least TLSv1.2
connecting in plain text instead. So rather than having (arguably not
so) poor encryption for those client you would rather have no encryption
at all? This does not make any sense.
# super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
I would avoid messing with this setting unless you really understand
what you are doing, and even then it's not a very good idea. You could
end up causing some clients to be unable to establish a connection or on
the flip side you could inadvertently be enabling a cipher that ends up
becoming vulnerable in the future unless you stay on top of this setting
and remove it from the list. Note that the default for this setting is
taken from openssl so when a vulnerability does get found in a cipher
you will get an update to openssl from your OS vendor which will remove
that cipher from the list, unless you do something like override it like
you are doing above.
smtpd_tls_mandatory_ciphers = high
This is fine.
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
