Perfect Forward Secrecy (PFS) for mail servers

The benefit of this is to know that if I choose to disable some specific cipher, which clients is it likely to affect, just like the SSL labs tests show for web clients.

You don't need to restrict yourself to a specific cipher, but instead simply enable all ciphers which are acceptable to you and in the order you prefer them. The resulting cipher then will be negotiated between client and server depending on the supported ciphers on both sites. Don't restrict yourself unnecessary.

As for the ciphers typically used at the server side you might have a look at Quantifying the quality of TLS support where I've analyzed the TLS support for SMTP from the top 1M sites according to Alexa, which are about 600000 mail server with TLS enabled. According to my tests about 33% of the servers use ECDHE ciphers and 52% DHE ciphers, so that 85% use forward secrecy.

And for some more information about the ciphers used you will not find in the study here is a detailed list of ciphers negotiated when used with the DEFAULT cipher set of OpenSSL 1.0.1:

100.00%     600433 TOTAL
 29.53%     177285 DHE-RSA-AES256-GCM-SHA384
 21.20%     127304 ECDHE-RSA-AES128-GCM-SHA256
 20.62%     123804 DHE-RSA-AES256-SHA
  7.65%      45919 AES256-SHA
  6.40%      38404 ECDHE-RSA-AES256-GCM-SHA384
  4.42%      26558 AES256-GCM-SHA384
  4.36%      26189 ECDHE-RSA-AES256-SHA384
  1.76%      10586 AES128-SHA
  1.17%       7003 RC4-SHA
  0.93%       5577 DHE-RSA-AES256-SHA256
  0.90%       5389 ECDHE-RSA-AES256-SHA
  0.56%       3372 DHE-RSA-CAMELLIA256-SHA
  0.19%       1137 RC4-MD5
  0.08%        503 EDH-RSA-DES-CBC3-SHA
  0.08%        454 DES-CBC3-SHA
  0.07%        444 AES128-SHA256
  0.04%        235 DHE-RSA-AES128-GCM-SHA256
  0.01%         82 AES128-GCM-SHA256
  0.01%         59 AES256-SHA256
  0.01%         53 DHE-RSA-AES128-SHA
  0.00%         23 ECDHE-RSA-AES128-SHA
  0.00%         14 DHE-DSS-AES256-SHA
  0.00%         11 ECDHE-RSA-AES128-SHA256
  0.00%         10 ECDHE-RSA-RC4-SHA
  0.00%         10 ECDHE-RSA-DES-CBC3-SHA
  0.00%          4 DHE-DSS-AES256-GCM-SHA384
  0.00%          2 CAMELLIA256-SHA
  0.00%          1 DHE-RSA-SEED-SHA
  0.00%          1 AECDH-DES-CBC3-SHA

Please check the free script written by the firm where one of the highly qualified folks at Security SE works: https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/

ssl-cipher-suite-enum identifies the following common security issues relating to SSL: ...Support of key exchange algorithms that don’t support forward secrecy – or equivalently, cipher suites that allow sniffed traffic to be retrospectively decrypted if the private SSL key were to be compromised.

If you want to do it slowly and by hand, openssl portmanteau toolset is very handy:

From https://community.qualys.com/thread/12193:

openssl s_client -starttls smtp -crlf -connect YOUR_SMTP_SERVER:25

If you see DHE (Diffie-Hellmann Ephemeral) in the cipher suite, it's PFS.

From this post at Security SE TLS_DHE_DSS_WITH_DES_CBC_SHA DHE-DSS-CBC-SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA TLS_DHE_RSA_WITH_DES_CBC_SHA DHE-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA

TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  DHE-DSS-CAMELLIA128-SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  DHE-DSS-CAMELLIA256-SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  DHE-RSA-CAMELLIA128-SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  DHE-RSA-CAMELLIA256-SHA

TLS_DHE_DSS_WITH_SEED_CBC_SHA          DHE-DSS-SEED-SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA          DHE-RSA-SEED-SHA

If we include the Elliptic Curve ciphers, the following also implement PFS:

TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE-RSA-NULL-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE-RSA-RC4-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE-RSA-AES256-SHA

TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE-ECDSA-NULL-SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA-DES-CBC3-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE-ECDSA-AES256-SHA

If you also want to include TLS 1.2 (note that there are no TLS 1.1 specific suites) then you can expand the list to include:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384

TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384