[Ach] Postfix
Kurt Roeckx
kurt at roeckx.be
Mon Dec 30 18:37:43 CET 2013
Hi,
SMTP can typically only use opportunistic encryption. Postfix
comes with sane defaults if you enable it.
But postfix also supports DANE, which can be used for mandatory
authentication, at which point postfix will also require stronger
encryption. I think we should encourage people to set up DNSSEC
and DANE.
There are also known compatibility issues with exchange on windows
2003 where the 3DES CBC padding is broken. It also only looks at the
first 64 elements of the cipher list. As I understand things, the
best cipher we can use for those servers is RC4, so we need to get
that in the first 64 ciphers that we announce and before 3DES.
I ended up suggesting this for export:
aNULL:-aNULL:ALL:+RC4:!SRP:!PSK:!SEED:!MD5:!CAMELLIA:@STRENGTH:+3DES:+LOW:+EXPORT
(You might want to read http://bugs.debian.org/729188)
Kurt
More information about the Ach
mailing list