Hi Victor,
Op 03-04-2026 om 15:14 schreef Viktor Dukhovni via Postfix-users:
On Fri, Apr 03, 2026 at 03:04:06PM +0200, Paul van der Vlis via Postfix-users
wrote:
There is certainly something to criticize about your domain, isn't there? No
DMARC or SPF policy, and you support ciphers like ADH-AES256-GCM-SHA384 that
are no longer secure.
The lack of DMARC and SPF is quite deliberate, and aligns well with my
threat model. And See section 8.1 of RFC7672 for the reason why ADH
ciphers are supported with TLS 1.2. Some day I might publish a
specification for a null-certifiacate type with TLS 1.3, but poking
that hornet's hasn't yet been a priority.
I think it's correct that you don't get 100% ;-)
You're of cours free to apply your criteria to your own domains.
Assuming that your threat model and risk analysis is universally
applicable seems unwise.
My "smtpd_tls_security_level = encrypt" and my tls_policy are of course
very debatable, and I don't know if I should leave it like this. At the
moment it's only a test-server, an account on it is [email protected].
Some people even say that I should enable TLS 1.0.
I am also free to question the universality of "internet.nl"'s choices.
of course ;-)
With regards,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
