On Feb 7, 2015, at 10:51 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Sat, Feb 07, 2015 at 10:18:11PM -0700, LuKreme wrote: > >> # postconf -n | grep _tls_ >> smtp_tls_security_level = may >> smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem > > Fine so far. > >> smtpd_tls_ciphers = high > > This is too "high" for opportunistic TLS. Anything more than > "medium" is too restrictive for opportunistic TLS on port 25. > > On the submission port (587) you can be more strict. > >> # is smtp_tls_exclude needed? >> smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4 > > The defaults are fine. Why do you feel compelled to "tune" these? > >> smtpd_tls_loglevel = 2 > > Too verbose. Stick with "1" > >> smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3 > > Why exclude TLSv1.1 and TLSv1.2? See the documentation. > The default is fine, but if you must tweak, exclude just > "SSLv2". > > smtpd_tls_protocols = !SSLv2 > > On the submission port (587) you can be more strict.
OK, thank you for the feedback. Some of the settings were simply leftovers I never changed, and I thought we wanted to exclude SSLv3 now. -- 'I warn you, dragon, the human spirit is-' They never found out what it was, or at least what he thought it was, although possibly in the dark hours of a sleepless night some of them might have remembered the subsequent events and formed a pretty good and gut-churning insight, to whit, that one of the things sometimes forgotten about the human spirit is that while it is, in the right conditions, noble and brave and wonderful, it is also, when you get right down to it, only human.
