ml@ruggedinbox.com writes:

Our smtp server is postfix, can you please suggest a better 'ssl_protocols' and 'ssl_cipher_list' configuration ? We are running Debian 7 Wheezy

A useful command to know is "openssl ciphers" run on the server that will tell you the ciphers available given a protocol and cipher list spec.

If it comes out to empty, your client won't be able to negotiate any SSL sessions, and you'll have include more ciphers. For example, TLSv1 protocol minus any low-grade encryption or SSLv2 ciphers:

$ openssl ciphers -tlsv1 'ALL:\!LOW:\!SSLv2'
ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ADH-DES-CBC3-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5:EDH-RSA-DES-CBC3-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EXP-EDH-DSS-DES-CBC-SHA:DES-CBC3-SHA:EXP-DES-CBC-SHA:IDEA-CBC-SHA:EXP-RC2-CBC-MD5:RC4-SHA:RC4-MD5:EXP-RC4-MD5

Joseph Tam jtam.home@gmail.com