> On Jun 15, 2018, at 8:28 AM, micah anderson wrote:
>
> In 2015, Viktor wrote an email detailing the current recommended TLS
> settings[0].
>
> Now that we are three years later, are these still the best settings? Is
> there something better we can be recommending?
>
> If anything, I think
t actually should be *default*), but I'm wondering about
the other recommended ciphers/protocols/excludes etc. as well.
thanks!
--
micah
0.
http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html
On Sat, Aug 15, 2015 at 09:02:24PM +0200, Thomas Keller wrote:
> > # Exclude obsolete weak crypto.
> > #
> > smtpd_tls_protocols = !SSLv2, !SSLv3
> > smtpd_tls_ciphers = medium
> > smtp_tls_protocols = !SSLv2, !SSLv3
> > smtp_tls_ciphers = medium
> >
>
> If I set "smtpd_t
On 2015-08-06 09:08, Viktor Dukhovni wrote:
>
> You should in most cases update main.cf by setting:
>
> # Exclude obsolete weak crypto.
> #
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_ciphers = medium
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_ciphers = medium
Thank you Viktor.
On Fri, Aug 07, 2015 at 10:24:34AM +0200, Luigi Rosa wrote:
> >Recent updates to the supported Postfix releases have updated the
> >default settings of the OpenSSL ciphers used for opportunistic TLS
> >from "export" to "medium.
>
> Viktor,
> thank you so much for this mini-howto.
>
> As an added
On 07 Aug 2015, at 06:14, Viktor Dukhovni wrote:
> On Fri, Aug 07, 2015 at 02:55:42AM +0200, DTNX Postmaster wrote:
>
>> For most systems, monitoring the status of their encryption just isn't
>> done at all; they use the defaults their device or server came with at
>> the time they purchased i
Viktor Dukhovni wrote on 06/08/2015 09:08:
Recent updates to the supported Postfix releases have updated the
default settings of the OpenSSL ciphers used for opportunistic TLS
from "export" to "medium.
Viktor,
thank you so much for this mini-howto.
As an added security I rotate DH parameters
On Fri, Aug 07, 2015 at 02:55:42AM +0200, DTNX Postmaster wrote:
> For most systems, monitoring the status of their encryption just isn't
> done at all; they use the defaults their device or server came with at
> the time they purchased it, and rarely keep up with the times.
They don't need to.
On 06 Aug 2015, at 21:44, Michael Ströder wrote:
>>> simply look whether their system uses STARTTLS or not and won't check
>>> which particular ciphers are used. IMO it might be a good learning effect
>>> for
>>> them if you disable STARTTLS for them.
>>
>> This is wrong. RC4 is not worse than
Michael Str?der:
> Viktor Dukhovni wrote:
> > On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
> >
> >>> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
> Why medium and not high, while we're at it? What clients would have
> problems with it?
> >>>
> >>> Be
Viktor Dukhovni wrote:
> On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
>
>>> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
Why medium and not high, while we're at it? What clients would have
problems with it?
>>>
>>> Because cleartext is not stronger t
On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
> > On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
> >> Why medium and not high, while we're at it? What clients would have
> >> problems with it?
> >
> > Because cleartext is not stronger than medium. If you make T
Viktor Dukhovni wrote:
> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
>> Why medium and not high, while we're at it? What clients would have
>> problems with it?
>
> Because cleartext is not stronger than medium. If you make TLS
> impossible for peers that only support medium, t
On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
> > You should in most cases update main.cf by setting:
> >
> > # Exclude obsolete weak crypto.
> > #
> > smtpd_tls_protocols = !SSLv2, !SSLv3
> > smtpd_tls_ciphers = medium
> > smtp_tls_protocols = !SSLv2, !SSLv3
On 2015-08-06 09:08, Viktor Dukhovni wrote:
>
> Recent updates to the supported Postfix releases have updated the
> default settings of the OpenSSL ciphers used for opportunistic TLS
> from "export" to "medium.
>
> If you're not yet using one of the releases from mid July, or
> have set non-defau
Recent updates to the supported Postfix releases have updated the
default settings of the OpenSSL ciphers used for opportunistic TLS
from "export" to "medium.
If you're not yet using one of the releases from mid July, or
have set non-default values for either of:
smtpd_tls_protocols
smtp
17 matches
Mail list logo
