[Ach] Suggested Postfix config allows some weak ciphers - please review

Wolfgang Breyha wolfgang.breyha at univie.ac.at
Sat May 3 15:28:07 CEST 2014


On 03/05/14 12:53, christian mock wrote:
> Disabling RC4 ciphers would lose 3% of the incoming and 0.04% of
> outgoing TLS connections.

And disabling MD5 would lose such "unworthy" hosts like:
H=honeycrisp.apple.com (mail-out.apple.com) [17.151.62.51]
H=dabinett.apple.com (bz.apple.com) [17.151.62.52]
H=foxwhelp.apple.com (bz.apple.com) [17.151.62.53]
H=bz.apple.com (bz.apple.com) [17.151.62.54]

which at best connect with TLSv1:RC4-MD5:128.

And if SSL handshake fails they do not bother to try unencrypted as well.

Greetings, Wolfgang
-- 
Wolfgang Breyha <wolfgang.breyha at univie.ac.at> | http://www.blafasel.at/
Vienna University Computer Center              | Austria



More information about the Ach mailing list