[Ach] SMTP client mode ciphers
christian mock
cm at coretec.at
Mon Nov 18 23:24:08 CET 2013
On Mon, Nov 18, 2013 at 06:18:12PM +0100, Wolfgang Breyha wrote:
> In general I hate the idea of mail admins looking out for "cut&paste" code
> without getting into the topics. Such admins shouldn't even think about
> setting cipher strings at all. At least if we're talking about SMTP. That's
> why I put that "please read...." on top of the Exim section;-)
In reality, a lot of people are "managing" SMTP servers that shouldn't.
> IMO it should be enough to set "prefer_server_ciphers" and stick to the
> default ciphers even for MSA mode. It is to easy to break support for certain
> older clients.
I think that depends; from your point of view as a university admin,
you probably have no influence on the client software. A company admin
may completely control the choice of clients and may be able to reduce
the cipher suites more.
> In client mode I recognized hosts using eg.
> TLSv1.2:DHE-DSS-AES256-GCM-SHA384:256
> ... not available with the recommended ciphersuite.
'cause your server has a 1024 bit DSS certificate?
> And as MX I think a well sorted default cipher suite is the best available
> option currently.
definitely.
cm.
--
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
http://heise.de/-1260559
.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
More information about the Ach
mailing list