[Ach] SMTP client mode ciphers

christian mock cm at coretec.at
Mon Nov 18 23:24:08 CET 2013

On Mon, Nov 18, 2013 at 06:18:12PM +0100, Wolfgang Breyha wrote:

> In general I hate the idea of mail admins looking out for "cut&paste" code
> without getting into the topics. Such admins shouldn't even think about
> setting cipher strings at all. At least if we're talking about SMTP. That's
> why I put that "please read...." on top of the Exim section;-)

In reality, a lot of people are "managing" SMTP servers that shouldn't.

> IMO it should be enough to set "prefer_server_ciphers" and stick to the
> default ciphers even for MSA mode. It is to easy to break support for certain
> older clients.

I think that depends; from your point of view as a university admin,
you probably have no influence on the client software. A company admin
may completely control the choice of clients and may be able to reduce
the cipher suites more.

> In client mode I recognized hosts using eg.
> TLSv1.2:DHE-DSS-AES256-GCM-SHA384:256
> ... not available with the recommended ciphersuite.

'cause your server has a 1024 bit DSS certificate?

> And as MX I think a well sorted default cipher suite is the best available
> option currently.



Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list