On 12 January 2017 at 20:13, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote: > Thank you that is working perfectly as I need. > http://www.postfix.org/postconf.5.html#smtpd_tls_loglevel > > # -ALF 2017-01-12 > smtpd_tls_loglevel = 1 > > example output for others to see.... > > Jan 12 14:21:59 mta4 postfix/smtpd[6814]: Anonymous TLS connection > established from angelo.uits.uconn.edu[137.99.80.129]: TLSv1.2 with cipher > DHE-RSA-AES128-SHA (128/128 bits) >
Just for amusement (it's been a long day) I had a look at the selected encryption for incoming mails on one of our servers over the last few months. One cipher and one protocol predominates [ECDHE-RSA-AES128-GCM-SHA256 (128/128_bits) TLSv1.2] but quite a range of others are used too, I would prefer to disable TLSv1(.0) because it does not pass PCI DSS v3.2 but evidently that is not workable at the moment: # zgrep "to.* TLS.* with cipher" /var/log/mail.log*|awk '{if ($NF=="bits)") print $(NF-2),$(NF-1)"_"$NF,$(NF-5)}'|sort|uniq -c|sort -rn 15509 ECDHE-RSA-AES128-GCM-SHA256 (128/128_bits) TLSv1.2 798 ADH-AES256-SHA (256/256_bits) TLSv1 751 ECDHE-RSA-AES256-GCM-SHA384 (256/256_bits) TLSv1.2 254 AES256-SHA (256/256_bits) TLSv1 235 DHE-RSA-AES256-GCM-SHA384 (256/256_bits) TLSv1.2 36 ECDHE-RSA-AES256-SHA384 (256/256_bits) TLSv1.2 32 AECDH-AES256-SHA (256/256_bits) TLSv1.2 11 ECDHE-RSA-AES256-SHA (256/256_bits) TLSv1 7 DHE-RSA-AES256-SHA (256/256_bits) TLSv1 6 AES128-GCM-SHA256 (128/128_bits) TLSv1.2 4 ECDHE-RSA-AES256-SHA (256/256_bits) TLSv1.2 3 DHE-RSA-AES128-SHA (128/128_bits) TLSv1.2 1 ADH-AES256-GCM-SHA384 (256/256_bits) TLSv1.2