stefan Bauer: > Nessus reports for example TLS_RSA_WITH_SEED_CBC_SHA as weak on our > submission port. So i was using the following to disable all SEED ciphers > on submission port but it has no effect: > > -o smtpd_tls_mandatory_ciphers=high > -o tls_preempt_cipherlist=yes > -o > tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-S > HA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
I see no evidence that smtpd is using mandatory TLS, which I think is a prerequisite for the above settings to have an observable effect. Wietse