postfix-users@postfix.org wrote in <zeb8vfvk3oel8...@chardros.imrryr.org>: |On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: | |> Sorry, context is important. This server needs to pass a Payment Card |> Industry (PCI) compliance scan. Their definition of weak: "key lengths of |> less than 112 bits, or else use the 3DES encryption suite". Opportunistic |> TLS is NOT a goal.
i still use the # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = TLSv1 that the developer of my lighttpd server has introduced for HTTP, and i do not feel i have a fallout. I have just looked and i do not see a single SSL_accept error or "no shared cipher" or what message at all in my logs. (But note they rotate over after about 48 hours, and the ones mailed to me i drop at a glance.) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
