On Mon, Jan 25, 2021 at 10:38:46PM +0100, Jörg Backschues wrote: > # TLS > tls_high_cipherlist = > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Limiting the ciphers to just: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 is a terrible idea, the net effect of this attempt to increase security, is to reduce security, by forcing all email to peers that don't do ECDHE to be sent in the clear. Since your mail server is doing *opportunistic* TLS (<https://tools.ietf.org/html/rfc7435>), it is willing to use the weakest cipher of all, namely cleartext. Therefore, configuring highly restrictive cipherlists is just wrong. Keep reading RFC7435 until you've lost the urge to dial security up to 11. Real security results from raising the ceiling (offering stronger options), not the floor (remove everything but the strongest options). Yes, ultimately one should also *gradually* raise the floor to eliminate just the truly obsolete features that are no longer used by anyone, but this needs to be done with care, and mostly just by leaving it to the underlying libraries (i.e. OpenSSL) to drop support for obsolete cruft. Postfix has sensible defaults for the low level cipher lists. Resist the temptation to "improve" them. -- Viktor.