-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, Aug 08, 2014 at 04:11:51PM +0200, Reindl Harald wrote:
Am 08.08.2014 um 15:44 schrieb Eric H. Christensen:
On Fri, Aug 08, 2014 at 03:36:51PM +0200, Reindl Harald wrote:
Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
Postfix is a different kind of beast though. It does not typically use TLS, but uses some kind of opportunistic security that allows anonymous ciphersuites. So it's a bit hard to enforce anything there, as man-in-the-middle attacks are possible by design
and keep in mind in case of opportunistic TLS if you restrict ciphers and the SMTP client don't support what you offer it falls back to completly plaintext which defeats the intention
Falling back to an insecure cipher only provides a false sense of security which isn't any better than plaintext.
you *can not* enforce ciphers for opportunistic TLS - period because that is the nature of *opportunistic*
I agree with your assessment, however, ordering the ciphers that are to be used can still be done.
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security
sparks@redhat.com - sparks@fedoraproject.org 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------