> On Mar 14, 2018, at 10:48 PM, John <j...@klam.ca> wrote:
>
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
Fine.
> smtp_tls_ciphers = high
OK, but medium is perhaps sufficient.
> smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS,
> kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
With "high" or "medium" you don't need to exclude "EXPORT" or "LOW".
You're also misspelling some of the cipher names, they are case-sensitive.
Try:
smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr,
kDHd, kDHr
You can exclude RC4 and 3DES, but it is not essential, and some very
small number of systems will now only be able to receive from you in
the clear.
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high
Where did you get the idea that "high" was a TLS protocol version?
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_ciphers = high
I would also suggest "medium" here.
> smtpd_tls_eecdh_grade = auto
This requires (and is recommended for) Postfix 3.2 or later.
> smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
Not necessarily a good idea. The server should perhaps be more
liberal.
--
Viktor.
