<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body smarttemplateinserted="true" bgcolor="#FFFFFF" text="#000000">
<div id="smartTemplate4-template">Hallo Frank,<br>
<br>
ich gehe mal davon aus, dass wir hier über die MX sprechen, die
für deine Absenderdomain (ebenfalls?) zuständig sind.<br>
<br>
Also für meinen persönlichen Geschmack sind das bei mx1 doch ein
bisschen zu wenig Ciphers, die du da anbietest. Insbesondere beim
Thema TLS auf Port 25 läuft man da (leider) sehr schnell Gefahr,
dass die Gegenseite da nicht mitspielt.<br>
<br>
<pre> SCAN RESULTS FOR MX1.W3MAN.COM:25</pre>
<pre> ----------------------------------------------------------------</pre>
<pre>
* TLSV1_2 Cipher Suites:</pre>
<pre> Preferred: </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> Accepted: </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre>
* TLSV1 Cipher Suites:</pre>
<pre> Preferred: </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> Accepted: </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre>
* TLSV1_1 Cipher Suites:</pre>
<pre> Preferred: </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> Accepted: </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<br>
und bei mx2 wiederum ein paar zu viel (anon?? wtf!?):<br>
<br>
<pre> SCAN RESULTS FOR MX2.W3MAN.COM:25</pre>
<pre> ---------------------------------------------------</pre>
<pre>
* TLSV1 Cipher Suites:</pre>
<pre> Preferred: </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> Accepted: </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_AES_256_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_AES_128_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_SEED_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_SEED_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_RC4_128_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_RC4_128_MD5 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_RC4_128_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_RC4_128_MD5 - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits 250 2.0.0 Ok </pre>
<pre>
* TLSV1_1 Cipher Suites:</pre>
<pre> Preferred: </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> Accepted: </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_AES_256_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_AES_128_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_SEED_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_SEED_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_RC4_128_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_RC4_128_MD5 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_RC4_128_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_RC4_128_MD5 - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits 250 2.0.0 Ok </pre>
<pre>
* TLSV1_2 Cipher Suites:</pre>
<pre> Preferred: </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> Accepted: </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_256_GCM_SHA384 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_AES_256_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_256_CBC_SHA256 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_AES_128_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_128_GCM_SHA256 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_128_CBC_SHA256 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_AES_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_SEED_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_SEED_CBC_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_RC4_128_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_RC4_128_MD5 DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_RC4_128_SHA - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_RC4_128_MD5 - 128 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits 250 2.0.0 Ok </pre>
<pre> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits 250 2.0.0 Ok </pre>
<pre> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok </pre>
<pre> TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits 250 2.0.0 Ok </pre>
<br>
<br>
Du solltest beachten, dass es eine schlechte Idee ist, den
Backup-MX in Sachen config zu vernachlässigen. Weil dann das beste
Konzept als Ganzes nutzlos bzw umsonst ist.<br>
</div>
<br>
Prüfe am besten auch mal, ob deine DH-Param-Datei
"${config_directory}/dh4096.pem" OK ist (vorhanden und für postfix
erreichbar). Denn die DHE-Ciphers fehlen. Es sei denn dies ist
Absicht.<br>
<br>
Ich habe bei mir folgendes bei tls_exclude_ciphers zu stehen:<br>
<br>
= aNULL, eNULL, 3DES, RC4, kRSA, kSRP, kPSK<br>
<br>
Ich bin der Meinung, dass die daraus resultierenden Ciphers ein
guter Kompromiss sind aus (relativ noch) hoher SIcherheit und mit
dennoch ein wenig Legacy-Support.<br>
<br>
Man muss jedoch bedenken, dass die allgemeine Sichtweise zum Thema
SSL-Support und Mail-Transit ist, dass man lieber alte, unsichere
Ciphers anbietet anstatt Gefahr zu laufen, dass das sendende System
dann auf Plaintext umschaltet und somit ja das eigentlich gewünschte
TLS "umgeht". (Lustiger- und Ironischerweise sieht man das beim
Thema HTTPS ganz anders - da muss das alles am besten schon gestern
der neueste Shit von morgen sein.)<br>
<br>
Muss jeder für sich selbst abwägen, was da das Beste ist.<br>
<br>
Grüsse, Fabian<br>
</body>
</html>