[Ach] Suggested Postfix config allows some weak ciphers - please review
thomas at preissler.co.uk
Sat May 3 17:26:23 CEST 2014
On Sat, May 03, 2014 at 03:28:07PM +0200, Wolfgang Breyha wrote:
> On 03/05/14 12:53, christian mock wrote:
> > Disabling RC4 ciphers would lose 3% of the incoming and 0.04% of
> > outgoing TLS connections.
> And disabling MD5 would lose such "unworthy" hosts like:
> H=honeycrisp.apple.com (mail-out.apple.com) [22.214.171.124]
> H=dabinett.apple.com (bz.apple.com) [126.96.36.199]
> H=foxwhelp.apple.com (bz.apple.com) [188.8.131.52]
> H=bz.apple.com (bz.apple.com) [184.108.40.206]
> which at best connect with TLSv1:RC4-MD5:128.
> And if SSL handshake fails they do not bother to try unencrypted as well.
yeah, I completely missed this that STARTTLS is effectively "best
effort" and screwing it would make it worse.
That for your thoughts.
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint: CCBD 153A D257 CA7E A217 FDF7 5928 03D1 7588 9415
More information about the Ach