[Ach] BetterCrypto guide - POSTFIX configuration mistake / missing parameter
Gunnar Haslinger
gh.bettercrypto at hitco.at
Fri Oct 14 12:58:08 CEST 2016
Am 2016-10-14 12:49, schrieb Guillaume REMBERT:
> For MTA, the advice is "better to keep poor encryption than
> nothing". I am fine with this, BUT part of the config indicated is then
> useless (and made me feel like I did something incorrect), isn'it?
> These 2 parameters are not used at all with the opportunistic TLS:
> - smtpd_tls_mandatory_ciphers=high
> - tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:\
> \EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS\
> \:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
No, smtpd_tls_mandatory_ciphers and the tls_high_cipherlist is NOT
useless.
In the BetterCrypto Config as explained it is used for MSA purposes. MSA
= Mail Submission Agent => On the Submission Ports you only have
Mail-Client to Server-Communication, and out there shouldn't be any old
MailClient which doesn't support the high-cipherlist. And on the
Submission-Ports Plaintext-Communication is disabled. So this makes
sense.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20161014/72d75fd8/attachment.html>
More information about the Ach
mailing list