You can get a clear view of your ciphers etc. by running: nmap --script ssl-enum-ciphers -p 25 mx.yourserver.tld
FWIW, on our Zimbra 10 system with the FIPS-compliant OpenSSL package installed, we get on each of our MTAs: nmap --script ssl-enum-ciphers -p 25 my.missioncriticalemail.com Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-01 15:16 EST Nmap scan report for my.missioncriticalemail.com (35.173.158.175) Host is up (0.038s latency). PORT STATE SERVICE 25/tcp open smtp | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | cipher preference: client |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 8.57 seconds We have only a handful daily of negotiation failures on the first connect; some of those succeed on the second connection a few minutes later. No customers have complained that anyone they want to get email from hasn't been able to send to us. Hop[e that helps, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- From: "Slavko via mailop" <mailop@mailop.org> To: "mailop" <mailop@mailop.org> Sent: Monday, March 4, 2024 4:30:25 PM Subject: Re: [mailop] Recommended ciphers used for ESMTP connections Dňa 4. marca 2024 21:15:23 UTC používateľ John Levine via mailop <mailop@mailop.org> napísal: >It appears that Ken O'Driscoll via mailop <k...@kenodriscoll.com> said: >>Transport encryption is not for confidentiality anyway. > >Agreed. My MTA uses "NORMAL:-VERS-SSL3.0" Then why you are disabled SSL3? And why you do not build own openssl with SSL2 support? regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
