Currently I have the following in main.cf:
smtp_tls_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = aNULL
According to weakdh.org/sysadmin.html, I should have this:
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem
Do I open myself to potential compatibility problems by making this change?
Should I make this change for smtp_tls_exclude_ciphers as well?
Should I use the same dhparams.pem file that I use for nginx, or
generate a new one for postfix?
- Grant
