SSL support without nginx

[lllama]

Some clients are refusing to connect over SSL due to either v2 not being supported, or v3 not agreeing a cipher. Is there some config change required to allow other ciphers, or is nginx still required to handle STARTTLS connections?

[flashmob]

Yes, there is still a significant number of senders attempting to use SSLv2, even though it is noted to be vulnerable, see DROWN attack https://drownattack.com Similar issues with SSLv3. If you want to support these legacy protocols (not recommended) then proxying via nginx would be required.

[xeoncross]

See commit 5cd2a8ca31 for information about past support for these bad ciphers which was removed.

[lllama]

Thanks for the responses. Unfortunately, we need to be fairly permissive with what we allow, as we want to make sure we don't miss any mail. Looks like nginx is the solution for now.