Dayjob sets: smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high
=== A "service" called "securityscorecard.com" decided to scan our network without our consent. People who would be our cyberinsurance providers and/or customers have purchased services from securityscorecard, which we were only shown when we engaged with them, which feels like your life insurance company paying someone to dig through your trash and asking "why you take so much ibuprofen, you sick or something"? Anyway, one of the biggest claims is that, on port 25, "SSL/TLS Service Supports Weak Protocol" They rate this as: Threat Level: High and Breach Risk: High, and it's the number one thing lowering our "Score". === The checker at https://luxsci.com/smtp-tls-checker/ reports that we only score a B+, and suggests: Able to connect via cipher TLS_AES_256_GCM_SHA384. Remove support for all 3DES ciphers. These are known to be weak and are removed in NIST 800-52r2. It make no mention of TLS protocol version. I suspect this is a checker bug. === First, what am I missing that makes this "Weak?" Some pages rate this as an "A+" cipher. (https://scanigma.com/knowledge-base/tls/ciphersuite/tls-aes-256-gcm-sha384) https://ciphersuite.info/cs/TLS_AES_256_GCM_SHA384/ says "recommended" I suspect this is because our smtpd_tls_protocols is still riding the default, which defaults to ">=TLSv1" I also think this is all theater right now, as in the absence of MTA/STS, postfix could refuse to talk <tls1.2 and the result would be "mail being delivered in the clear". (We have not yet moved to requiring TLS via MTA-STS). So my question: Are the defaults (>=TLSv1) still sane? Or is it "worth" turning this up to >=TLSv1.2? -Dan _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
