[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

Viktor Dukhovni via Postfix-users Thu, 29 Feb 2024 19:53:26 -0800

On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote:

> i still use the
> 
>   # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
>   tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20


I don't recommend cargo-culting random cipher lists.

>   smtpd_tls_mandatory_ciphers = high
>   smtpd_tls_mandatory_exclude_ciphers = TLSv1

In pratice, this boils down to

    ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

Which should all be fine (better than cleartext) for email.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

Reply via email to