> On Mar 14, 2018, at 10:48 PM, John <j...@klam.ca> wrote: > > smtp_dns_support_level = dnssec > smtp_tls_security_level = dane
Fine. > smtp_tls_ciphers = high OK, but medium is perhaps sufficient. > smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, > kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT With "high" or "medium" you don't need to exclude "EXPORT" or "LOW". You're also misspelling some of the cipher names, they are case-sensitive. Try: smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr, kDHd, kDHr You can exclude RC4 and 3DES, but it is not essential, and some very small number of systems will now only be able to receive from you in the clear. > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high Where did you get the idea that "high" was a TLS protocol version? > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_ciphers = high I would also suggest "medium" here. > smtpd_tls_eecdh_grade = auto This requires (and is recommended for) Postfix 3.2 or later. > smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers Not necessarily a good idea. The server should perhaps be more liberal. -- Viktor.