[Ach] Suggested Postfix config allows some weak ciphers - please review

Thomas Preissler thomas at preissler.co.uk
Sat May 3 17:26:23 CEST 2014


Wolfgang,
Albert,

On Sat, May 03, 2014 at 03:28:07PM +0200, Wolfgang Breyha wrote:
> On 03/05/14 12:53, christian mock wrote:
> > Disabling RC4 ciphers would lose 3% of the incoming and 0.04% of
> > outgoing TLS connections.
> 
> And disabling MD5 would lose such "unworthy" hosts like:
> H=honeycrisp.apple.com (mail-out.apple.com) [17.151.62.51]
> H=dabinett.apple.com (bz.apple.com) [17.151.62.52]
> H=foxwhelp.apple.com (bz.apple.com) [17.151.62.53]
> H=bz.apple.com (bz.apple.com) [17.151.62.54]
> 
> which at best connect with TLSv1:RC4-MD5:128.
> 
> And if SSL handshake fails they do not bother to try unencrypted as well.

yeah, I completely missed this that STARTTLS is effectively "best
effort" and screwing it would make it worse.
That for your thoughts.


Regards

Thomas

-- 
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint:  CCBD 153A D257 CA7E A217  FDF7 5928 03D1 7588 9415



More information about the Ach mailing list