The problem is that you might be using the correct and recommended cipher list, but others may have ancient legacy email systems that only support old, weak ciphers. There is work being done with sendmail, to enable failback to non-tls when ciphers don’t agree.
---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669 From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Cor ey Sent: Wednesday, August 26, 2015 10:52 AM To: mailop@mailop.org Subject: Re: [mailop] Recommended CipherList I found the website that I grabbed that cipherlist from. It was https://weakdh.org/sysadmin.html. Does everyone still think that this is the way to go? Thanks again in advance, Corey On Wed, Aug 26, 2015 at 10:38 AM, Cor ey <bronxbomber...@gmail.com<mailto:bronxbomber...@gmail.com>> wrote: Hello, I run an instance of sendmail and I have run into an issue where a server I am attempting to send e-mail to is deferring our messages due to a TLS handshake error that is due to our MTAs not being able to agree on a cipher. The error message is : error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher I am currently using the following ciphers: CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA After one of the more recent openssl vulnerabilities were uncovered (I forget which one it was) I had found the above cipherlist as the recommended set up on a couple of sites. Due to the issue I am having sending mail to this host and the fact that I can't find the above cipherlist anywhere anymore, I am wondering if that's still the case. What is the currently recommended Cipherlist? What are you all using? Thanks in advance. Corey
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
