[Ach] disable SSLv2 + SSLv3 howto

Andreas Schulze sca at andreasschulze.de
Wed Oct 15 22:28:57 CEST 2014

Aaron Zauner:
> We're currently having a discussion on the IETF UTA WG on the topic, the
> postfix maintainer is arguing that disabling RC4, SSLv3 etc will cause
> plaintext fallback for MTA<->MTA traffic. Which is - as far as I can tell -
> correct for servers that do not support TLS properly (or legacy clients).

yes, that's right. The decission should take care on little crypto then plaintext. that should be noted on bettercrypto.org as a first step.

TLS on smtp is different from TLS on http. But it's difficult to unsterstand
all implications. I personaly (think) I did.
After viewing my logs I could clearly make a desission to no longer support
0.000x% of my crypto session.

> > < inbound >
> > # grep 'TLS connection established from' /var/log/mail | sed -e 's/^.*\]\:
> > //' -e 's/ with cipher.*//' | sort | uniq -c
> >
> > < outbound >
> > # grep 'TLS connection established to' /var/log/mail | sed -e
> > 's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c

More information about the Ach mailing list