Thank you everyone for your responses. It makes sense to not have a restricted set of ciphers. Eray, your explanation made perfect sense and adding the precision about no known downgrade attack makes me revise the cipers we use.
I'm also going to read the PDF eBulldog shared. Thank you all so much for your input, I appreciate it! Best regards Cyril Le mar. 5 mars 2024 à 09:47, Eray Aslan via mailop <mailop@mailop.org> a écrit : > On Mon, Mar 04, 2024 at 05:30:54PM +0100, Cyril - ImprovMX via mailop > wrote: > > On our send, we decided to use the ciphers suggested by Mozilla on their > > SSL Configuration Generator (https://ssl-config.mozilla.org/) (level > > "Intermediate") but I'm aware it's more for the HTTPS connections that > > ESMTP / TLS. > > Exactly. SMTP is not HTTPS. Too restrictive a setting either results in > interoperability problems or plain text transmission. Leaving TLS1.0 > enabled is fine with SMTP. If you support TLS1.2 and the client supports > TLS1.2, there is no known downgrade attack to TLS1.0. > > [...] > > And we only accept TLS at v1.2 and higher. > > It is 2024 but this is still, unfortuntely, not advisable. In SMTP, > increased security is achieved via raising the ceiling. Raising the > floor is counter productive. It is opportunistic encryption and > multi-hop. Different design choices different implications. > > -- > Eray > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
