Hi, the german DFN CERT (CERT for academic networks) published (german) recommendations on transport encryption for mailservers.[1] In the beginning of the guide they say: > Die Konfigurationen sind teilweise dem Bettercrypto Projekt entnommen. Dieses Paper berück- > sichtigt ebenfalls Erkenntnisse aus BSI TR-03108-1 sowie BSI TR-03116-4. Translated: > The configurations are partially taken from the Bettercrypto project. The paper also > considers the insights from BSI TR-03108-1 sowie BSI TR-03116-4. The latter two are recommendations by the german government agency BSI.[2][3]
The recommended cipher strings for OpenSSL do not differ (suite B). Their guide does recommend cipher strings for GnuTLS whereas we explicitly do not (both only for Exim). Their guide does contain much more information on the setup, which we did not because it can also be found in the linked documentation of the projects. However it contains some useful sections, eg to enforce TLS for a specific destination. It also covers DANE/TLSA and its configuration on postfix and exim. We only refer to it in section "3.8.2. Hardening PKI" Sebastian [1]: https://www.dfn-cert.de/aktuell/smtp-transportverschluesselung.html [2]: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03108/index_htm.html [3]: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03116/BSI-TR-03116-4.html -- python programming - mail server - photo - video - https://sebix.at cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ach mailing list [email protected] https://lists.cert.at/cgi-bin/mailman/listinfo/ach
