[Ach] Suggested Postfix config allows some weak ciphers - please review

Thomas Preissler thomas at preissler.co.uk
Sat May 3 10:37:10 CEST 2014


I had a go at your recommended Postfix settings. I am on Debian Wheezy,
Postfix 2.9.6-2.

When testing these settings with https://starttls.info/, I get the
following report:

  Key exchange
  Anonymous Diffie-Hellman is accepted. This is suspectible to
  Man-in-the-Middle attacks.

  Weakest accepted cipher: 0.

So I had a play and to manage to disable those two you would need the
following config:

smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
smtp_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
smtpd_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5

Which then disable Anonymous DH and the weakest cipher would be 128.



www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint:  CCBD 153A D257 CA7E A217  FDF7 5928 03D1 7588 9415

More information about the Ach mailing list