[sdnog] improving your SSL configuration
Philip Paeps
philip at trouble.is
Sun Oct 25 04:17:48 SAST 2015
On 2015-10-17 03:30:52 (+0530), Sara Alamin <sara.alamin at sudren.edu.sd>
wrote:
> Happy New Year :)
Happy belated new year. :)
> I was doing some troubleshooting, oops I mean debugging [Sorry Trouble
> :) ]
:-)
> about SSL and I came across about these two urls that may be useful to
> some of you:
> 1. https://www.ssllabs.com/ssltest/index.html
> 2. https://cipherli.st
I didn't know about the second link. Thank you. That's very helpful!
Note that in the case of Postfix/Exim/Dovecot, you may need to still
support RC4
and MD5 for the foreseeable future. Quite a few people still run old
versions of
Microsoft Outlook on Microsoft Windows XP which don't support modern
ciphers.
People get very cranky when you "break their email".
I've been logging the ciphers used in my mailservers for a while.
Postfix now
logs them by default. For Dovecot, you need to add %c to the log
format:
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l
mpid=%e %c %k"
Hopefully the number of users using weak ciphers will drop to zero at
some point,
but I have a feeling that I'll probably want to phone some people when
there are
a handful or so left. Some people will never upgrade by themselves.
Philip
--
Philip Paeps
Senior Reality Engineer
Ministry of Information
More information about the sdnog
mailing list