I've been using a limited ("hardened") set of SSL ciphers in tlsserverciphers, 
but have noticed today that there have been 13 delivery failures from our 
server in the past twenty days:

    
TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;_connected_to_174.127.104.86./
    
(This error corresponds to a delivery attempt to [email protected]—the 
address doesn't go anywhere, so you're welcome to try it.)

I've been using the cipher set generated by `openssl ciphers 
'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES'`. I changed this to all default ciphers 
listed by `openssl ciphers > /var/qmail/control/tlsserverciphers` and the 
message to the nobody@ address succeeds.

So—the question is, is it really worth using safer/stronger ciphers if mail 
deliverability suffers? Thirteen failures out of about 40,000 messages sent is 
a small amount, but this was an important client I was unable to send mail to, 
so I noticed personally. 

What are the risks of running the full cipher set? I can answer this myself: 
exposing risk to man-in-the-middle attacks, etc… So it certainly is a weighted 
concern. What d'y'all think?

Quinn

Reply via email to