On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote:
> Sorry, context is important. This server needs to pass a Payment Card
> Industry (PCI) compliance scan. Their definition of weak: "key lengths of
> less than 112 bits, or else use the 3DES encryption suite". Opportunistic
> TLS is NOT a goal.
Many of The anon-DH ciphers are quite strong by that metric, they use
AES-128 or AES-256.
> > What do you consider weak?
>
> All of the anonymous Diffie-Hellman suites with an "F" score. How can
> eliminate the following:
Who's assigning the "F" scores? Do they in fact line up with the PCI
requirements? As explained in:
https://www.postfix.org/TLS_README.html#client_tls_limits
https://datatracker.ietf.org/doc/html/rfc7672#section-8.2
there is nothing wrong with leaving anon-DH ciphers enabled on servers.
They can however be disabled to comply to with clueless auditors by
setting:
smtpd_tls_exclude_ciphers = aNULL
or (if applicable only with mandatory TLS):
smtpd_tls_mandatory_exclude_ciphers = aNULL
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
