<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body smarttemplateinserted="true" bgcolor="#FFFFFF" text="#000000">
    <div id="smartTemplate4-template">Hallo Frank,<br>
      <br>
      ich gehe mal davon aus, dass wir hier über die MX sprechen, die
      für deine Absenderdomain (ebenfalls?) zuständig sind.<br>
      <br>
      Also für meinen persönlichen Geschmack sind das bei mx1 doch ein
      bisschen zu wenig Ciphers, die du da anbietest. Insbesondere beim
      Thema TLS auf Port 25 läuft man da (leider) sehr schnell Gefahr,
      dass die Gegenseite da nicht mitspielt.<br>
      <br>
      <pre> SCAN RESULTS FOR MX1.W3MAN.COM:25</pre>
      <pre> ----------------------------------------------------------------</pre>
      <pre>
  * TLSV1_2 Cipher Suites:</pre>
      <pre>      Preferred:                       </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>      Accepted:                        </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384           ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256           ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256           ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>
  * TLSV1 Cipher Suites:</pre>
      <pre>      Preferred:                       </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>      Accepted:                        </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>
  * TLSV1_1 Cipher Suites:</pre>
      <pre>      Preferred:                       </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>      Accepted:                        </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <br>
      und bei mx2 wiederum ein paar zu viel (anon?? wtf!?):<br>
      <br>
      <pre> SCAN RESULTS FOR MX2.W3MAN.COM:25</pre>
      <pre> ---------------------------------------------------</pre>
      <pre>
  * TLSV1 Cipher Suites:</pre>
      <pre>      Preferred:                       </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>      Accepted:                        </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_AES_256_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_256_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_AES_128_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_128_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_SEED_CBC_SHA                     DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_RC4_128_SHA                    ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_RC4_128_SHA                    ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_RC4_128_MD5                      DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_RC4_128_SHA                          -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_RC4_128_MD5                          -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   112 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      250 2.0.0 Ok                                                </pre>
      <pre>
  * TLSV1_1 Cipher Suites:</pre>
      <pre>      Preferred:                       </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>      Accepted:                        </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_AES_256_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_256_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_AES_128_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_128_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_SEED_CBC_SHA                     DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_RC4_128_SHA                    ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_RC4_128_SHA                    ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_RC4_128_MD5                      DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_RC4_128_SHA                          -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_RC4_128_MD5                          -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   112 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      250 2.0.0 Ok                                                </pre>
      <pre>
  * TLSV1_2 Cipher Suites:</pre>
      <pre>      Preferred:                       </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>      Accepted:                        </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_256_GCM_SHA384               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_AES_256_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_256_CBC_SHA256               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_256_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_256_CBC_SHA256                   -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_256_GCM_SHA384                   -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_AES_128_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_128_GCM_SHA256               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_128_CBC_SHA256               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_AES_128_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_SEED_CBC_SHA                     DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_128_GCM_SHA256                   -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_128_CBC_SHA256                   -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_RC4_128_SHA                    ECDH-256 bits  128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_RC4_128_SHA                    ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_RC4_128_MD5                      DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_RC4_128_SHA                          -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_RC4_128_MD5                          -              128 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   112 bits      250 2.0.0 Ok                                                </pre>
      <pre>        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                </pre>
      <pre>        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      250 2.0.0 Ok                                                </pre>
      <br>
      <br>
      Du solltest beachten, dass es eine schlechte Idee ist, den
      Backup-MX in Sachen config zu vernachlässigen. Weil dann das beste
      Konzept als Ganzes nutzlos bzw umsonst ist.<br>
    </div>
    <br>
    Prüfe am besten auch mal, ob deine DH-Param-Datei
    "${config_directory}/dh4096.pem" OK ist (vorhanden und für postfix
    erreichbar). Denn die DHE-Ciphers fehlen. Es sei denn dies ist
    Absicht.<br>
    <br>
    Ich habe bei mir folgendes bei tls_exclude_ciphers zu stehen:<br>
    <br>
    = aNULL, eNULL, 3DES, RC4, kRSA, kSRP, kPSK<br>
    <br>
    Ich bin der Meinung, dass die daraus resultierenden Ciphers ein
    guter Kompromiss sind aus (relativ noch) hoher SIcherheit und mit
    dennoch ein wenig Legacy-Support.<br>
    <br>
    Man muss jedoch bedenken, dass die allgemeine Sichtweise zum Thema
    SSL-Support und Mail-Transit ist, dass man lieber alte, unsichere
    Ciphers anbietet anstatt Gefahr zu laufen, dass das sendende System
    dann auf Plaintext umschaltet und somit ja das eigentlich gewünschte
    TLS "umgeht". (Lustiger- und Ironischerweise sieht man das beim
    Thema HTTPS ganz anders - da muss das alles am besten schon gestern
    der neueste Shit von morgen sein.)<br>
    <br>
    Muss jeder für sich selbst abwägen, was da das Beste ist.<br>
    <br>
    Grüsse, Fabian<br>
  </body>
</html>