I've been using a limited ("hardened") set of SSL ciphers in tlsserverciphers,
but have noticed today that there have been 13 delivery failures from our
server in the past twenty days:
TLS_connect_failed:_error:14077410:SSL_routines:SSL23_GET_SERVER_HELLO:sslv3_alert_handshake_failure;_connected_to_174.127.104.86./
(This error corresponds to a delivery attempt to [email protected]—the
address doesn't go anywhere, so you're welcome to try it.)
I've been using the cipher set generated by `openssl ciphers
'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES'`. I changed this to all default ciphers
listed by `openssl ciphers > /var/qmail/control/tlsserverciphers` and the
message to the nobody@ address succeeds.
So—the question is, is it really worth using safer/stronger ciphers if mail
deliverability suffers? Thirteen failures out of about 40,000 messages sent is
a small amount, but this was an important client I was unable to send mail to,
so I noticed personally.
What are the risks of running the full cipher set? I can answer this myself:
exposing risk to man-in-the-middle attacks, etc… So it certainly is a weighted
concern. What d'y'all think?
Quinn