[pfx] Re: identifying sender failing ssl/tls cipher ?

Sat, 12 Aug 2023 08:36:02 -0700 

why?


not my own server/config


Can you explain how each of these is better than the Postfix defaults?


all but two _are_ at defaults

        postconf -n | grep -i tls | grep -i cipher | sort
@D              smtpd_tls_ciphers = medium
@D              smtpd_tls_exclude_ciphers =
@D              smtpd_tls_mandatory_ciphers = medium
@D              smtp_tls_ciphers = medium
!               smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, 
PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 
3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, 
ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
@D              smtp_tls_mandatory_ciphers = medium
!               tls_preempt_cipherlist = yes
@D              tlsproxy_tls_mandatory_exclude_ciphers = 
$smtpd_tls_mandatory_exclude_ciphers

        postconf -d smtp_tls_ciphers smtp_tls_exclude_ciphers 
smtp_tls_mandatory_ciphers smtpd_tls_ciphers smtpd_tls_exclude_ciphers 
smtpd_tls_mandatory_ciphers tls_preempt_cipherlist 
tlsproxy_tls_mandatory_exclude_ciphers | sort
                smtpd_tls_ciphers = medium
                smtpd_tls_exclude_ciphers =
                smtpd_tls_mandatory_ciphers = medium
                smtp_tls_ciphers = medium
                smtp_tls_exclude_ciphers =
                smtp_tls_mandatory_ciphers = medium
                tls_preempt_cipherlist = no
                tlsproxy_tls_mandatory_exclude_ciphers = 
$smtpd_tls_mandatory_exclude_ciphers

smtp_tls_exclude_ciphers is client-side, not server-side 
(smtpd_tls_exclude_ciphers) , and as i understand it shouldn't be involved in 
the smtp*d* inbound transaction.
or is it?

in any case, mod'ing

        postconf -n smtp_tls_mandatory_ciphers tls_preempt_cipherlist
                smtp_tls_mandatory_ciphers = medium
                tls_preempt_cipherlist = no

has no effect, and results in the same errors from the *.iphmx.com sender in my 
OP


I expect that Viktor will respond with a detailed coherent explanation


i'll look forward to it as always

there was some RC4 usage from ironport awhile ago,

        
https://community.cisco.com/t5/email-security/no-tls-for-ironport-cloud/td-p/2467698

unclear if/how it was resolved.

what specific postfix logging, if any, will ID what cipher is being 
attempted/used ?

_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to