Running a security scan, all cyphers beginning with TLS_RSA are flagged as being suboptimal.
How would one go about disabling weaker cyphers (anything that’s not ECDHE or DHE)?
For the website That’s configured in nginx. Changing that is unsupported. You can see where that happens in the GitHub repo nginx-ssl config. (Also explanations about the rationale behind the choices in here: https://github.com/mail-in-a-box/mailinabox/blob/master/security.md)
You can check the consequences of disabling a cypher on https://www.ssllabs.com.
Thanks for the response. I understand the need for balance in not over-securing a server and locking out some users.
I looked at nginx-ssl, but couldn’t find any reference to RSA cyphers. I’m checking a report that looks to reference SMTP cyphers:
It’s not clear if that is the submission port or not.
Also read the surrounding comments, the also explain the rational.
Thanks! Now I understand the rationale: Better a weak cypher than to fall back to clear text.
I found a way to make my security scan happy. I added the following line to /etc/postfix/main.cf:
tls_preempt_cipherlist = yes
By having the server select the best preference, rather than the client, it looks like it starts with the highest level of security first.