Am 2016-10-14 12:49, schrieb Guillaume REMBERT:
> For MTA, the advice is "better to keep poor encryption than
> nothing". I am fine with this, BUT part of the config indicated is then
> useless (and made me feel like I did something incorrect), isn'it?
> These 2 parameters are not used at all with the opportunistic TLS:
> - smtpd_tls_mandatory_ciphers=high
> -
> tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:\
> \EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS\
> \:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
No, smtpd_tls_mandatory_ciphers and the tls_high_cipherlist is NOT
useless.
In the BetterCrypto Config as explained it is used for MSA purposes. MSA
= Mail Submission Agent => On the Submission Ports you only have
Mail-Client to Server-Communication, and out there shouldn't be any old
MailClient which doesn't support the high-cipherlist. And on the
Submission-Ports Plaintext-Communication is disabled. So this makes
sense.
_______________________________________________
Ach mailing list
Ach@lists.cert.at
http://lists.cert.at/cgi-bin/mailman/listinfo/ach
