On 04/03/2024 18:30, Cyril - ImprovMX via mailop wrote:
And we only accept TLS at v1.2 and higher.
Because SMTP is opportunistic you can't be too restrictive. Allowing TLSv1.1 would likely provide more compatibility. If you want to enforce security, implement MTA-STS.
OpenSSL has built-in presets named "HIGH", "MEDIUM" and "LOW". You can just use "HIGH:MEDIUM:!LOW:!DHE" and it will provide a very compatible set of ciphers (without allowing DHE that could allow DoS). You should also enable server-side ciphersuite preference.
This configuration reduces maintenance burden, if OpenSSL developers find something very broken it'll get disabled with an update because you haven't forced a bad inclusion.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
