Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: > I still have no problems with > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtpd_tls_protocols = $smtpd_tls_mandatory_protocols > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 > smtpd_tls_mandatory_ciphers = high > > Neither for lighttpd nor for postfix.
First, we should not mix HTTP(S) with SMTP, these are two completely different things. While as strict TLS security as possible in the web browsing is essential (think about various highly private data you are transmitting eg. when doing online shopping or banking), it has much less meaning in email, due to nature of TLS in email being opportunistic, that means, if servers can't negotiate TLS connection, they fall back to plaintext (unencrypted), because mail must be delivered anyway. As mail can go through various intermediate servers over which you have no control, and can be stored on them for a period of time over which you have no control, if anything highly sensitive is sent via email, it should be end-to-end encrypted anyway, using applications like gpg or similar, and not rely on transport encryption. Second, most web browsers nowadays (as well as mail clients) support TLS v1.2 since long time, so it's of course very little probability that someone who uses so outdated browser that it doesn't support TLS v1.2 will try to access your website, *and*: a) either that person will complain to you, or b) you will notice it in your httpd logs. Third, there are still quite a few mail *servers* that don't support TLS v1.2. In that case, they will fall back to plaintext when sending mail to your server. Do you analyze your logs for such cases? When I occasionally browse my Postfix logs, I notice one particular server (from which I receive mail quite often) that can negotiate only TLS v1 connection with my server. So if I would require TLS>=1.2 on my server, that server would fall back to plaintext to send mail to me. I think that TLS v1 is still better security than no encryption at all ;) -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
