> On 14 Aug 2021, at 1:15 am, raf <post...@raf.org> wrote: > > According to the hardenize.com security bingo site, > they get a green box for their mail server TLS, even > though they support TLSv1.0 (yellow), because they > don't support anonymous ciphers (red). If they were > supporting anonymous ciphers, it would get a > yellow/amber box overall. > > https://www.hardenize.com/report/rhenus.com
I should ping Ivan Ristic and ask him to change that policy. It is counterproductive. See: https://datatracker.ietf.org/doc/html/rfc7672#section-8.2 If you're not obligated by some regulatory requirement to have "green" checkmarks from a counterproductively strict TLS stack audit, leave "aNULL" ciphers enabled when doing unauthenticated opportunistic TLS. Slinging unused certificates around adds nothing to your security. > Anonymous ciphers would be supported by default. Postfix supports these by default, most other applications do not, as they're not part of the "DEFAULT" cipherlist in OpenSSL. > So maybe they stopped supporting them. Perhaps they did explicitly turn off "aNULL", or they're not using Postfix. -- Viktor.
