[Ach] Suggested Postfix config allows some weak ciphers - please review
Thomas Preissler
thomas at preissler.co.uk
Sat May 3 17:26:23 CEST 2014
Wolfgang,
Albert,
On Sat, May 03, 2014 at 03:28:07PM +0200, Wolfgang Breyha wrote:
> On 03/05/14 12:53, christian mock wrote:
> > Disabling RC4 ciphers would lose 3% of the incoming and 0.04% of
> > outgoing TLS connections.
>
> And disabling MD5 would lose such "unworthy" hosts like:
> H=honeycrisp.apple.com (mail-out.apple.com) [17.151.62.51]
> H=dabinett.apple.com (bz.apple.com) [17.151.62.52]
> H=foxwhelp.apple.com (bz.apple.com) [17.151.62.53]
> H=bz.apple.com (bz.apple.com) [17.151.62.54]
>
> which at best connect with TLSv1:RC4-MD5:128.
>
> And if SSL handshake fails they do not bother to try unencrypted as well.
yeah, I completely missed this that STARTTLS is effectively "best
effort" and screwing it would make it worse.
That for your thoughts.
Regards
Thomas
--
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint: CCBD 153A D257 CA7E A217 FDF7 5928 03D1 7588 9415
More information about the Ach
mailing list