Re: Strong Ciphers to use with Postfix

Fri, 17 Feb 2017 07:45:24 -0800 

On 17/02/17 11:43, Fazzina, Angelo wrote:

> Hi,

Hi, Angelo.

Thanks for your prompt reply.

> Here is how I am dealing with "weak ciphers"
> You may be able to do the same type of config ?
> 
> 
> In /etc/postfix/main.cf
> 
> 
> # -ALF 2016-09-07
> # disable RC4 ciphers with TLS connections.
> #smtpd_tls_exclude_ciphers = RC4, aNULL
> # -ALF 2017-01-09
> # disable weak ciphers, and RC4 ciphers
> smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL
> #-ALF 2107-01-09
> # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers
> #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, 
> EDH-RSA-DES-CBC3-SHA, RC4, aNULL

I tried this configuration and I get in the test that now it does not
found weak ciphers. Thanks for sharing!

So I think this would replace this lines of https://cipherli.st:

------------------------------------------------------------------
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
------------------------------------------------------------------

right? Or do you think some of those other lines should be included?


What do you think of the other lines mentioned?

------------------------------------------------------------------
smtpd_use_tls=yes
smtpd_tls_security_level = may (X)
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/ssl/postfix.cert
smtpd_tls_key_file=/etc/ssl/postfix.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X)
------------------------------------------------------------------

Currently I have not configured the lines with an "X".

I'm using currently "smtpd_tls_security_level = may" that use TLS if
this is supported by the remote SMTP server, otherwise use plaintext.
But I'm not using "smtpd_tls_security_level = may". I see the default
value for this parameter is empty. Is that equivalent to "none"?


Thanks for your time.


Kind regards,
Daniel

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to