Am 20.05.2014 13:03, schrieb Colin Fowler: > ADH is susceptible to MITM attacks, but I can't seem to turn it off. > > I've tried various permutations of > > tls_preempt_cipherlist = yes > tls_high_cipherlist (with !DH and !ADH) > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_mandatory_ciphers = high > > I'm running 2.9.6 on Debian Wheezy. > > Any help appreciated. Thanks :)
don't do that on a public MX don't do that if you have clients with Outlook in WinXP (supported or not is out of scope) a few days ago we had a genius with troubles caused by !SSLv3 because the delivering server did not support TLS1, so what you achieve at the end of the day is failing connections or fallback to plaintext and so you hardly make anything better if it is *not* a public MX smtpd_tls_exclude_ciphers = aNULL, eNULL, EXP, MD5, IDEA, KRB5, RC2, SEED, SRP if it *is* a public MX maybe reconsider that in general in any case !SSLv3 will break your setup
