while Postfix 2.10 is no longer supported. If you want to keep up with
best practice, upgrade.
> Server TLS configuration looks like this at the moment.
> #TLS Server configuration
> smtpd_tls_security_level = may
> smtpd_tls_cert_file = /etc/postfix/ssl/2017.cer
> smtpd_tls_key_file = /etc/postfix/ssl/2017.key
You should have, if not already default values with your 2.10.1
(with some vendor patch backports?) Postfix release:
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = medium
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = medium
to trim obsolete baggage from the list of ciphers offered by the SMTP client
to remote servers. This can actually improve interoperability in some edge cases,
and should not cause any loss of ability to negotiate TLS with remote systems.
That said, this is not required. You can, if you wish, include RC4 in that list,
but it is not as bad as it is made out to be, and would only be negotiated when
nothing else better is available, almost all systems prefer AES these days, when
> One time per month some external company doing security scan on all Postfix instances. Last time there was a big discussion about anonymous Ciphers.
> Do I need to disable them ?