[Ach] SMTP client mode ciphers

Wolfgang Breyha wolfgang.breyha at univie.ac.at
Mon Nov 18 18:18:12 CET 2013

christian mock wrote, on 18.11.2013 17:33:
> What is your experience of the understanding that people (our readers)
> have of the difference between opportunistic SMTP encryption,
> mandatory encryption (when you force communication with a certain MX
> to be encrypted), and encryption for submission/authenticated
> connections?
> I think some explanation/introduction to those would be in order, but
> I don't think that fits into the SMTP/postfix/exim sections. But will
> people read it in one of the other sections when all they're looking
> for is cut&paste code for their infrastructure?

In general I hate the idea of mail admins looking out for "cut&paste" code
without getting into the topics. Such admins shouldn't even think about
setting cipher strings at all. At least if we're talking about SMTP. That's
why I put that "please read...." on top of the Exim section;-)

As you said, there are 3 different modes a mailserver operates in.

IMO it should be enough to set "prefer_server_ciphers" and stick to the
default ciphers even for MSA mode. It is to easy to break support for certain
older clients.

In client mode I recognized hosts using eg.
... not available with the recommended ciphersuite.

And as MX I think a well sorted default cipher suite is the best available
option currently.

Servus, Wolfgang
Wolfgang Breyha <wolfgang.breyha at univie.ac.at> | http://zid.univie.ac.at/
Vienna University Computer Center              | Austria

More information about the Ach mailing list