[Ach] SMTP client mode ciphers
Wolfgang Breyha
wolfgang.breyha at univie.ac.at
Mon Nov 18 18:18:12 CET 2013
christian mock wrote, on 18.11.2013 17:33:
> What is your experience of the understanding that people (our readers)
> have of the difference between opportunistic SMTP encryption,
> mandatory encryption (when you force communication with a certain MX
> to be encrypted), and encryption for submission/authenticated
> connections?
>
> I think some explanation/introduction to those would be in order, but
> I don't think that fits into the SMTP/postfix/exim sections. But will
> people read it in one of the other sections when all they're looking
> for is cut&paste code for their infrastructure?
In general I hate the idea of mail admins looking out for "cut&paste" code
without getting into the topics. Such admins shouldn't even think about
setting cipher strings at all. At least if we're talking about SMTP. That's
why I put that "please read...." on top of the Exim section;-)
As you said, there are 3 different modes a mailserver operates in.
IMO it should be enough to set "prefer_server_ciphers" and stick to the
default ciphers even for MSA mode. It is to easy to break support for certain
older clients.
In client mode I recognized hosts using eg.
TLSv1.2:DHE-DSS-AES256-GCM-SHA384:256
... not available with the recommended ciphersuite.
And as MX I think a well sorted default cipher suite is the best available
option currently.
Servus, Wolfgang
--
Wolfgang Breyha <wolfgang.breyha at univie.ac.at> | http://zid.univie.ac.at/
Vienna University Computer Center | Austria
More information about the Ach
mailing list