Amazon SES and Postfix's no shared cipher warning (opens in new tab)

(encryp.ch)

1 pointsjimsi4y ago2 comments

2 comments

> TLS 1.2 is the minimum supported protocol, as recommended by RFC 7525, PCI DSS, and others

In addition to offer encrypted connections, each publicly available SMTP server must accept unencrypted connections according to RFC 2487 as well. So while Amazon SES should definitely support common ciphers, its current configuration shouldn't result in delays and delivery failures if there are no common ciphers between Amazon SES and another SMTP server. They also state that in their configuration:

> If Amazon SES can't establish a secure connection, it sends the

> message unencrypted.

So this looks like a misconfiguration of the Postfix installation, intentionally ignoring the disclaimer for smtpd_tls_security_level [1]:

> Mandatory TLS encryption: announce STARTTLS support to remote SMTP

> clients, and require that clients use TLS encryption. According to

> RFC 2487 this MUST NOT be applied in case of a publicly-referenced

> SMTP server. Instead, this option should be used only on dedicated

> servers.

[1]: http://www.postfix.org/postconf.5.html#smtpd_tls_security_le...

jimsiOP4y ago

> In addition to offer encrypted connections, each publicly available SMTP server must accept unencrypted connections according to RFC 2487 as well. So while Amazon SES should definitely support common ciphers, its current configuration shouldn't result in delays and delivery failures if there are no common ciphers between Amazon SES and another SMTP server. They also state that in their configuration:

Amazon tried unencrypted connection only 8 hours after, which is strange behaviour

j / k navigate · click thread line to collapse