Amazon SES and Postfix's no shared cipher warning
encryp.ch> TLS 1.2 is the minimum supported protocol, as recommended by RFC 7525, PCI DSS, and others
In addition to offer encrypted connections, each publicly available SMTP server must accept unencrypted connections according to RFC 2487 as well. So while Amazon SES should definitely support common ciphers, its current configuration shouldn't result in delays and delivery failures if there are no common ciphers between Amazon SES and another SMTP server. They also state that in their configuration:
> If Amazon SES can't establish a secure connection, it sends the
> message unencrypted.
So this looks like a misconfiguration of the Postfix installation, intentionally ignoring the disclaimer for smtpd_tls_security_level [1]:
> Mandatory TLS encryption: announce STARTTLS support to remote SMTP
> clients, and require that clients use TLS encryption. According to
> RFC 2487 this MUST NOT be applied in case of a publicly-referenced
> SMTP server. Instead, this option should be used only on dedicated
> servers.
[1]: http://www.postfix.org/postconf.5.html#smtpd_tls_security_le...
> In addition to offer encrypted connections, each publicly available SMTP server must accept unencrypted connections according to RFC 2487 as well. So while Amazon SES should definitely support common ciphers, its current configuration shouldn't result in delays and delivery failures if there are no common ciphers between Amazon SES and another SMTP server. They also state that in their configuration:
Amazon tried unencrypted connection only 8 hours after, which is strange behaviour