Loading ...
Sorry, an error occurred while loading the content.

295755Re: postfix hardening - what can we do?

Expand Messages
  • micah
    Oct 4, 2013
      Viktor Dukhovni <postfix-users@...> writes:

      >> but...the way this works: the server gets offered a list of ciphersuites
      >> from the client, and then the server picks a ciphersuite, so without
      >> knowing how the server picks its ciphersuites from the client, these
      >> results are not clear.
      > By default the server picks the client's most preferred cipher that
      > is also available on the server. You can set "tls_preempt_cipherlist
      > = yes" to have the server use its most preferred cipher supported
      > by the client. This could break some fragile clients that offer
      > ciphers (at a low preference) whose implementation is broken.

      That is interesting. I tried to preempt the cipherlist and disable ECDHE
      to avoid the NIST curves, but couldn't get postfix to exclude that
      cipher using smtpd_tls_exclude_ciphers. It wasn't clear to me from
      http://www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers what
      the correct syntax to use there is, I tried kxECDHE but that didn't work
      either. Do you what format those are specified in?

    • Show all 14 messages in this topic