It came to my attention recently that the ciphers used by the stock QMT
aren't as secure as they might be. In fact, QMT was simply using all
available ciphers in no particular priority.
The general intention of QMT is to be as secure as reasonably possible
in the stock configuration, and if security is too tight for someone,
then can deliberately relax the security configuration.
With this in mind, I've modified the soon-to-be-offically-released qmail
for COS6 to include the following cipher string:
MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES
If anyone needs something more lenient, they can adjust their
tlsserverciphers file accordingly.
For those of you on COS5 (or present COS6 hosts) who want to beef up
their TLS/SSL security, the following command will do it:
# openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' \
>/var/qmail/control/tlsserverciphers
FWIW, this configuration is PCI compliant.
(PCI is credit card industry guidelines).
Thanks.
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com