On 03/06/16 09:52 am, micah wrote:
Lewis G Rosenthal <[email protected]> writes:
Hi...
On 03/06/16 09:02 am, micah wrote:
Axel Huebl <[email protected]> writes:
just wanted to correct a section in Postfix:
For 2.9.6 Wheezy (as described) the option
tls_ssl_options = NO_COMPRESSION
Since we are on this subject, why is this NO_COMPRESSION option
suggested? There is no rationale for why this setting is there.
The only issue with compression that I am aware of is CRIME, which is
irrelevant for SMTP.
According to the postfix docs:
Compression is CPU-intensive, and compression before encryption does not
always improve security.
For performance reasons alone, and the lack of evidence to support that it
would add better security, it is best left disabled.
Sure... but these recommendations are not about performance, if they
were I would expect other recommendations to also appear.
I dont think the clause 'compression before encryption does not always
improve security' means that compression should be disabled to improve
security.
I don't disagree, but Aaron's point is well taken. The idea is that there is
no indication that compression makes things *safer* (better crypto), so in
the absence of such evidence, it should probably be disabled.
Now, as to the wording of the above from the postfix docs, I suspect that
again, the author chose to err on the side of caution, and I take the
meaning to be that there is simply no compelling reason (better security or
performance) to leave it enabled.
We'll see what comes of the current SHUTUP discussion.
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
_______________________________________________
Ach mailing list
[email protected]
http://lists.cert.at/cgi-bin/mailman/listinfo/ach
