-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Aug 08, 2014 at 04:11:51PM +0200, Reindl Harald wrote: > Am 08.08.2014 um 15:44 schrieb Eric H. Christensen: > > On Fri, Aug 08, 2014 at 03:36:51PM +0200, Reindl Harald wrote: > >> Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos: > >>> Postfix is a different kind of beast though. It does not typically use > >>> TLS, but uses some kind of opportunistic security that allows anonymous > >>> ciphersuites. So it's a bit hard to enforce anything there, as > >>> man-in-the-middle attacks are possible by design > > > >> and keep in mind in case of opportunistic TLS if you restrict > >> ciphers and the SMTP client don't support what you offer it > >> falls back to completly plaintext which defeats the intention > > > > Falling back to an insecure cipher only provides a false sense of security > > which isn't any better than plaintext. > > you *can not* enforce ciphers for opportunistic TLS - period > because that is the nature of *opportunistic* I agree with your assessment, however, ordering the ciphers that are to be used can still be done. - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security sparks@xxxxxxxxxx - sparks@xxxxxxxxxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJT5N7mAAoJEB/kgVGp2CYvFB4L/j6bNlGgY12T/cTwNFMldd6v 5Zj4THpxKmKg/Mp08Q21XAucZJIL0nkaNBCaidJKkjH+h/jwq02nZ500/a9m/spJ QbSt1oRX47weFs/VX3mv1RPL8xIGxhJUmmhJRFPMdiwo+sEX2koiLyKRnbmt9CYM rkh2tihNV3XEScY0N8xxZBtU0dv586ceDzfmnP502mmpnIBsPupZCTbSlpZiNfmC AJNITgNqmb7bzjw/MFyrmHr0oq6ve/3bs5pAn0NZRahubhKtNeMQMuZosDLFyekW 5+dVbTFTSPx8dhl7lcGK9W2zCStcrjeNLyX0ypzgQy6Lx9/QOnLl/HasiP5KS1C5 kVEzOuWPCb5KH+UeToylq9ISoC+85oRRL+tNHdbAd+ZhT88tnYI0lNbd5A4wPoAs 6rxsf3Xnh3YRDrZPVf1KYGUV5CExMc0ff3livfjp/xvhq0ZcjC+lyYM5yAoUSWUX tBX9HldTipHgWJ2FCMvzdl1pj9/I+7hoUuHqBBtW6g== =b7I4 -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
