--- Forwarded from Steffen Nurpmeso <stef...@sdaoden.eu> --- Date: Sun, 19 Mar 2023 00:06:13 +0100 Author: Steffen Nurpmeso <stef...@sdaoden.eu> From: Steffen Nurpmeso <stef...@sdaoden.eu> To: Peter <pe...@pajamian.dhs.org> Subject: Re: [pfx] Re: Allow TLSv1 only for internal senders Message-ID: <20230318230613.c9hc0%stef...@sdaoden.eu> OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
Peter wrote in <29591811-f04e-b667-d5df-3e3223e7d...@pajamian.dhs.org>: |On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote: |> I still have no problems with |> |> smtpd_tls_mandatory_protocols = >=TLSv1.2 | |This is fine, so long as you don't have a user that can't support at |least TLSv1.2 that needs to use submission. Submission via VPN (without starttls / TLS). |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols | |This will simply result in clients that can't support at least TLSv1.2 |connecting in plain text instead. So rather than having (arguably not |so) poor encryption for those client you would rather have no encryption |at all? This does not make any sense. There is none. I have looked, there is only a single server of value, and it does not even try starttls. (And he won the USENIX Flame award.) |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 | |I would avoid messing with this setting unless you really understand |what you are doing, and even then it's not a very good idea. You could |end up causing some clients to be unable to establish a connection or on |the flip side you could inadvertently be enabling a cipher that ends up |becoming vulnerable in the future unless you stay on top of this setting |and remove it from the list. Note that the default for this setting is |taken from openssl so when a vulnerability does get found in a cipher |you will get an update to openssl from your OS vendor which will remove |that cipher from the list, unless you do something like override it like |you are doing above. | |> smtpd_tls_mandatory_ciphers = high | |This is fine. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- End forward <20230318230613.c9hc0%stef...@sdaoden.eu> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
