Am 08.11.2013 00:50, schrieb Viktor Dukhovni: > On Fri, Nov 08, 2013 at 12:27:13AM +0100, li...@rhsoft.net wrote: > >>> If you MUST muck around with raw OpenSSL cipherlists, the underlying >>> >>> tls_<grade>_cipherlist >>> >>> parameters are present and documented, along with appropriate >>> warnings to not go there. >>> >>> Note that Postfix will still apply implicit and configured exclusions >>> to these based on context (!aNULL when verifying peer certificates) > > READ THE ABOVE "Note" carefully. The exclusions are applied on > top of the cipher grade at run time. They don't modify the underlying > cipher list that defines the base ciphers for the grade.
i read it carefully but i still do not find away to get SMTP configured with exactly the same ciphers in the same order nor see a way to get the effective list the intention is that i see clients with broken TLS handshakes on SMTP while they work pretty fine on dovecot with the hardcoded cipherlist and it's hard to impossible debug this with endusers since they successful log into POP3/IMAP with TLS i assume the same client would happily do the same with identical cipherlists on SMTP while i even do not know which sort of device or if it is more than one device behind a NAT >> that does not work with "smtpd_tls_security_level = may" and >> "smtpd_tls_security_level = encrypt" > > Pilot error how is it a pilot error that i can't turn back time 10 years and configure hundrets of client devices to not break them with set to "encrypt" where especially smartphones tend to not give out any error messages to the user there is a existing userbase from long before my time :-(
