On Sat, 12 Nov 2016 15:29:54 -0500 "Bill Cole" <postfixlists-070...@billmail.scconsult.com> wrote:
> On 11 Nov 2016, at 14:31, li...@lazygranch.com wrote: > > > On Fri, 11 Nov 2016 09:54:48 -0500 > > "Bill Cole" <postfixlists-070...@billmail.scconsult.com> wrote: > > [big snip...] > > >> The bottom line (if you've made it this far...) is that the > >> settings that involve deep encryption parameters in modern Postfix > >> are best left at their default values unless you have very > >> specific uncommon security needs, can accept outright insoluble > >> breakage in place of imperfect security, and understand every > >> sentence of the TLS_README, the relevant bits of postconf(5), and > >> everything Viktor Dukhovni has ever written about encryption on > >> this list. > > > > My postfix setup lacks the tls_high_cipherlist parameter, > > Unlikely. It is much more likely that your postfix setup simply uses > the default value: > > # postconf tls_high_cipherlist > tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH > > > > > as shown here: > > https://blog.tinned-software.net/harden-the-ssl-configuration-of-your-mailserver/ > > > > Is the advice on that link reasonable? I see the setup echoed over > > the interwebs, but of course bad advice bounces around the internet > > as well. > > I stand by what I said above, which I THINK answers your question. Is > it unclear? # postconf tls_high_cipherlist tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH verified Assuming the default "high" setting is sufficient, why wouldn't I change this parameter to high rather than medium. postconf smtpd_tls_mandatory_ciphers smtpd_tls_mandatory_ciphers = medium Actually smtp_tls_mandatory_protocols = high, !SSLv2, !SSLv3 since I excluded sslv2 and v3 after drown.