On 12 January 2017 at 20:13, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote:
> Thank you that is working perfectly as I need.
> http://www.postfix.org/postconf.5.html#smtpd_tls_loglevel
>
> # -ALF 2017-01-12
> smtpd_tls_loglevel = 1
>
> example output for others to see....
>
> Jan 12 14:21:59 mta4 postfix/smtpd[6814]: Anonymous TLS connection
> established from angelo.uits.uconn.edu[137.99.80.129]: TLSv1.2 with cipher
> DHE-RSA-AES128-SHA (128/128 bits)
>
Just for amusement (it's been a long day) I had a look at the selected
encryption for incoming mails on one of our servers over the last few
months. One cipher and one protocol predominates
[ECDHE-RSA-AES128-GCM-SHA256 (128/128_bits) TLSv1.2] but quite a range
of others are used too, I would prefer to disable TLSv1(.0) because it
does not pass PCI DSS v3.2 but evidently that is not workable at the
moment:
# zgrep "to.* TLS.* with cipher" /var/log/mail.log*|awk '{if
($NF=="bits)") print $(NF-2),$(NF-1)"_"$NF,$(NF-5)}'|sort|uniq -c|sort
-rn
15509 ECDHE-RSA-AES128-GCM-SHA256 (128/128_bits) TLSv1.2
798 ADH-AES256-SHA (256/256_bits) TLSv1
751 ECDHE-RSA-AES256-GCM-SHA384 (256/256_bits) TLSv1.2
254 AES256-SHA (256/256_bits) TLSv1
235 DHE-RSA-AES256-GCM-SHA384 (256/256_bits) TLSv1.2
36 ECDHE-RSA-AES256-SHA384 (256/256_bits) TLSv1.2
32 AECDH-AES256-SHA (256/256_bits) TLSv1.2
11 ECDHE-RSA-AES256-SHA (256/256_bits) TLSv1
7 DHE-RSA-AES256-SHA (256/256_bits) TLSv1
6 AES128-GCM-SHA256 (128/128_bits) TLSv1.2
4 ECDHE-RSA-AES256-SHA (256/256_bits) TLSv1.2
3 DHE-RSA-AES128-SHA (128/128_bits) TLSv1.2
1 ADH-AES256-GCM-SHA384 (256/256_bits) TLSv1.2
