Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos: > Postfix is a different kind of beast though. It does not typically use > TLS, but uses some kind of opportunistic security that allows anonymous > ciphersuites. So it's a bit hard to enforce anything there, as > man-in-the-middle attacks are possible by design and keep in mind in case of opportunistic TLS if you restrict ciphers and the SMTP client don't support what you offer it falls back to completly plaintext which defeats the intention for secured and verified SMTP it needs special care * DANE and DNSSEC which goes far above email only * smtpd_tls_ask_ccert where admins of both sides must work together and also coordinate cert changes in short: MTA's acting as public MX must not enforce default TLS policies from the distribution shipping the package
Attachment:
signature.asc
Description: OpenPGP digital signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
