Re: [mailop] Recommended CipherList

Wed, 26 Aug 2015 08:12:51 -0700 

Windows Server 2003 (which is now officially out of support) only really
works with RC4.... AND the offer must be one of the first in the list as it
only reads the first 16. If that's your problem then adding RSA-RC4-SHA1 is
a temporary fix. The real fix is for your counterparty to upgrade.

Cheers, Ben
Hello,

I run an instance of sendmail and I have run into an issue where a server I
am attempting to send e-mail to is deferring our messages due to a TLS
handshake error that is due to our MTAs not being able to agree on a
cipher. The error message is :

 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I am currently using the following ciphers:

CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

After one of the more recent openssl vulnerabilities were uncovered (I
forget which one it was) I had found the above cipherlist as the
recommended set up on a couple of sites. Due to the issue I am having
sending mail to this host and the fact that I can't find the above
cipherlist anywhere anymore, I am wondering if that's still the case. What
is the currently recommended Cipherlist? What are you all using?

Thanks in advance.
Corey

_______________________________________________
mailop mailing list
[email protected]
http://chilli.nosignal.org/mailman/listinfo/mailop

_______________________________________________
mailop mailing list
[email protected]
http://chilli.nosignal.org/mailman/listinfo/mailop

Reply via email to