Closed HLFH closed 8 years ago
It’s a very very very bad practice to get a A on SMTP, and worse with TLSv1.2 only. SMTP/STARTTLS is opportunistic : if the recipient MTA don’t support one of the author MTA, the mail fallback to plain text. So, it’s better to have F grade for SMTP, with every ciphers and protocoles enabled. Better to have TLSv1.0+RC4 than plain-text.
(If you want a A+ (for HTTPS or SMTP or any other TLS stuff), you need to support only PFS cihpers.)
Thanks. I guess that with the implementation of https://tools.ietf.org/html/rfc7672, it will be a great bad practice :) I'll do that.
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
Hi,
Here is an example: I got a
A
onhttps://tls.imirhil.fr/smtp/dhautefeuille.eu
. Could I get anA+
?I respect the PFS best practice. And there is no HSTS for SMTP (I just read that).
I know that right now, it could be useless to get an
A+
because of the opportunistic encryption, but I would like to try :)Thanks in advance, HLFH