Hai, It all depends all in what you need and want.
After monitoring for about a year on with or without encryption. I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. Which i simply dont allow anymore. ( The sslv2/v3 ) Due to the dutch "Privacy laws" users are oblgated to have/use encrypted lines. And a lot should be encrypted. So I preffer a high but compatible set. A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl My prefered site to check ciphersets. Im also running debian jessie postfix 2.11. And yes, there is always room for improvements, but my cipher check shows me the following and im happy with it. 2 TLSv1 with cipher AES256-SHA 6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 13 TLSv1.2 with cipher AES256-SHA 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA 302 TLSv1 with cipher DHE-RSA-AES256-SHA 772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA # Add these to log you ciphers used. smtp_tls_loglevel=1 smtpd_tls_loglevel=1 # check encrypted connections with : # grep "connection established from.*with cipher" /var/log/mail.log|awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n # check for clear text connections: # grep "connection established from" /var/log/mail.log | grep -v cipher| awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n # outgoing connections: smtp smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_ciphers = high smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes # incoming connections: smtpd smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES #, RSA+AES smtpd_tls_eecdh_grade = ultra Greetz, Louis > -----Oorspronkelijk bericht----- > Van: domi...@timedicer.co.uk [mailto:owner-postfix-us...@postfix.org] > Namens Dominic Raferd > Verzonden: vrijdag 17 februari 2017 16:05 > Aan: Postfix users > Onderwerp: Re: Strong Ciphers to use with Postfix > > On 17 February 2017 at 14:43, Fazzina, Angelo <angelo.fazz...@uconn.edu> > wrote: > > Hi, > > Here is how I am dealing with "weak ciphers" > > You may be able to do the same type of config ? > > > > > > In /etc/postfix/main.cf > > > > > > # -ALF 2016-09-07 > > # disable RC4 ciphers with TLS connections. > > #smtpd_tls_exclude_ciphers = RC4, aNULL > > # -ALF 2017-01-09 > > # disable weak ciphers, and RC4 ciphers > > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, > aNULL > > #-ALF 2107-01-09 > > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES- > CBC3-SHA, RC4, aNULL > > > > > > > > -Angelo Fazzina > > Operating Systems Programmer / Analyst > > University of Connecticut, UITS, SSG, Server Systems > > 860-486-9075 > > > > -----Original Message----- > > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Daniel Bareiro > > Sent: Friday, February 17, 2017 9:40 AM > > To: Postfix users <postfix-users@postfix.org> > > Subject: Strong Ciphers to use with Postfix > > > > Hi all! > > > > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. > > > > I would like to know what you think of the security settings suggested > > here [1] for Postfix. > > > > I have tested it against this [2] site, but it seems that fails to > > discard other ciphers; on "Weak ciphers" I get "supported > > RSA_WITH_RC4_128_SHA". > > > > As I have learned from here, if your MTA is receiving from the world > or sending to the world there is little point in enforcing > super-strong ciphers on the corresponding connection (smtpd or smtp). > If you refuse all unencrypted communication, and only permit > super-strong ciphers, you may not be able to receive or send some > emails, because not all (even genuine) MTAs will support this; but > otherwise if you only permit super-strong ciphers you will just get > more unencrypted communication. Of course it is usually > pointless/unwise to permit broken ciphers, but these are anyway > disabled by default in postfix.
