Mailing List CGatePro@mail.stalker.com Message #106995
From: Tom Rymes trymes@rymes.com <CGatePro@mail.stalker.com>
Subject: Re: TLS Sessions - current state of affairs
Date: Fri, 26 Oct 2018 17:19:51 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
We found that we had to enable certain settings for certain hosts, but it was always just one or two domains, in general, and it was always some large corporation, so the presumption is that we are the ones with a problem, even thought the opposite is true.

Oddly, what we found to be a problem was when the other end was trying to use *stronger* encryption than was technically compliant with the older spec.

Tom

On 10/26/2018 3:01 AM, Palvelin Postmaster postmaster@palvelin.fi wrote:
Thanks for your response, Tom. I’m well aware of the tradeoff. However, I’m curious if someone has recently experimented with settings other than the most lenient ones. I mean, it might be that, for example, dropping SSLv3 support wouldn’t be a significant tradeoff anymore.


On 25 Oct 2018, at 20:45, Tom Rymes trymes@rymes.com <CGatePro@mail.stalker.com> wrote:

I don't think anything has changed? My understanding is that, in the context of a mail server, which will generally accept new messages in plaintext, fretting about the encryption strength of the TLS session is often considered to be excessive.

The tradeoff is deliverability vs. encryption strength, as if you require encryption from everywhere, and/or require strong encryption, the list of servers that will be able to successfully exchange mail with your server will rapidly grow to be very short.

It is up to each admin to choose the proper tradeoff for their needs?

Tom

On 10/25/2018 1:28 PM, Palvelin Postmaster postmaster@palvelin.fi wrote:
On 16 Oct 2018, at 10:09, Palvelin Postmaster postmaster@palvelin.fi <CGatePro@mail.stalker.com> wrote:

I wonder what the current state of affairs is with the various TLS Sessions options regarding old/insecure ciphers.

Can/should the CBS and Weak Ciphers options already be disabled and what should the Oldest Accepted option be set to?

Palvelin.fi Hostmaster
postmaster@palvelin.fi


#############################################################
This message is sent to you because you are subscribed to
   the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster