Jaroslaw Rafa wrote in <20230318203334.ga31...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: |> I still have no problems with |> |> smtpd_tls_mandatory_protocols = >=TLSv1.2 |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 |> smtpd_tls_mandatory_ciphers = high |> |> Neither for lighttpd nor for postfix. | |First, we should not mix HTTP(S) with SMTP, these are two completely |different things. While as strict TLS security as possible in the web |browsing is essential (think about various highly private data you are |transmitting eg. when doing online shopping or banking), it has much less
Eh, no. I do not do either. (Granted i use PayPal one, two times a month, but my bank account is not online-enabled.) I _never_ shopped online. This destroys local pharmacies, shops, small (hopefully) good jobs that sometimes exist for centuries. Western world cities have become faceless culture-free concrete djungles with McDonald's smell for kilometres. No. |meaning in email, due to nature of TLS in email being opportunistic, that |means, if servers can't negotiate TLS connection, they fall back to |plaintext (unencrypted), because mail must be delivered anyway. | |As mail can go through various intermediate servers over which you have no |control, and can be stored on them for a period of time over which you have |no control, if anything highly sensitive is sent via email, it should be |end-to-end encrypted anyway, using applications like gpg or similar, \ |and not |rely on transport encryption. | |Second, most web browsers nowadays (as well as mail clients) support TLS |v1.2 since long time, so it's of course very little probability that \ |someone |who uses so outdated browser that it doesn't support TLS v1.2 will try to |access your website, *and*: a) either that person will complain to you, or |b) you will notice it in your httpd logs. Sorry i do not understand a word. Long time TLSv1.2, yes. |Third, there are still quite a few mail *servers* that don't support TLS |v1.2. In that case, they will fall back to plaintext when sending mail to |your server. Do you analyze your logs for such cases? I have looked once i switched. I noted a rush of lower connections once i posted the above last. Even the GNU server now uses more modern things, as it gets through. I do not know one. |When I occasionally browse my Postfix logs, I notice one particular server |(from which I receive mail quite often) that can negotiate only TLS v1 |connection with my server. So if I would require TLS>=1.2 on my server, \ |that |server would fall back to plaintext to send mail to me. I think that TLS v1 |is still better security than no encryption at all ;) For _me_ it works in practice and there is no fallout. I get anything i need / expect. If you have to take care for some elder servers then this is surely a problem you have to solve, especially if it is your business. In general people update OpenSSL / crypto library of choice, aka install their distribution's security updates, in which case all is well out of the box (and likely would be for some years). The only problem i currently have is Mar 18 22:24:53 postfix/smtpd[26025]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.1.0 may not be compatible with OpenSSL 3.0.0 i hope AlpineLinux recompiles some OpenSSL-linked software so we get rid of that. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
