Re: tls_high_cipherlist with !SEED is ignored

Viktor Dukhovni Tue, 15 Jan 2019 07:28:05 -0800

> On Jan 15, 2019, at 8:39 AM, Stefan Bauer <cubew...@googlemail.com> wrote:
> 
>  -o smtpd_tls_mandatory_ciphers=high
>  -o tls_preempt_cipherlist=yes
>  -o 
> tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S
> HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA


Instead, try:

  master.cf:
        submission inet ... smtpd
          ...
          -o smtpd_tls_security_level=encrypt
          -o smtpd_tls_mandatory_ciphers=high
          -o smtpd_tls_exclude_ciphers=$msa_exclude_ciphers

  main.cf:
        msa_exclude_ciphers = SEED

See: http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers

-- 
        Viktor.

Re: tls_high_cipherlist with !SEED is ignored

Reply via email to