[Ach] Suggested Postfix config allows some weak ciphers - please review

Albert Dengg albert at fsfe.org
Sat May 3 12:48:04 CEST 2014

On Sat, May 03, 2014 at 11:24:52AM +0200, Christian Busch wrote:
> > smtp_tls_protocols = !SSLv2, !SSLv3
> > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> > smtp_tls_mandatory_ciphers = high
> > smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
> > smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
> > smtp_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
> > smtpd_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
> > 
> > Which then disable Anonymous DH and the weakest cipher would be 128.
> This fixed it for me too.
well yes and no:
for the submission port, yes disable all weak crypto.

on the other hand, for port 25/465 you are basically forcing some
servers to send unencrypted.
(if i remeber correctly the goolge smtp servers only use rc4 or at
least did so 1.5 months ago when i did my last crypto tests for a
postfix installation).

so for s2s enforcing strong crypto will most likly lead to more
cleartext transmissions (and requiering crypto on a public
mailserver will still lead to complaints from the users of them not
recieving mails from a lot of other servers...

for a server focused on internal communications, that might be of
course a different story.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140503/64531529/attachment.sig>

More information about the Ach mailing list