On 11 Nov 2016, at 14:31, [email protected] wrote:
On Fri, 11 Nov 2016 09:54:48 -0500
"Bill Cole" <[email protected]> wrote:
[big snip...]
The bottom line (if you've made it this far...) is that the settings
that involve deep encryption parameters in modern Postfix are best
left at their default values unless you have very specific uncommon
security needs, can accept outright insoluble breakage in place of
imperfect security, and understand every sentence of the TLS_README,
the relevant bits of postconf(5), and everything Viktor Dukhovni has
ever written about encryption on this list.
My postfix setup lacks the tls_high_cipherlist parameter,
Unlikely. It is much more likely that your postfix setup simply uses the
default value:
# postconf tls_high_cipherlist
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
as shown here:
https://blog.tinned-software.net/harden-the-ssl-configuration-of-your-mailserver/
Is the advice on that link reasonable? I see the setup echoed over the
interwebs, but of course bad advice bounces around the internet as
well.
I stand by what I said above, which I THINK answers your question. Is it
unclear?
