Hello,
I know this has been asked before. I even created a ticket about this, but got no answer than 'it is what it is'. But let's try it again now more than a year has passed. Has anyone an updated cipherlist that works allright?
This is the (standard)list I user on the SMTP interface:
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4
At least I would disable some weak ciphers. Because when I validate this list the first hit I get is:
At least one of your mail servers supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.
Technical details:
Mail server (MX) | First found affected cipher | Status |
---|---|---|
mail02.domain.com. | DHE-RSA-SEED-SHA | phase out |
mail01.domain.com. | DHE-RSA-SEED-SHA | phase out |