[Ach] Suggested Postfix config allows some weak ciphers - please review
Thomas Preissler
thomas at preissler.co.uk
Sat May 3 10:37:10 CEST 2014
Hello,
I had a go at your recommended Postfix settings. I am on Debian Wheezy,
Postfix 2.9.6-2.
When testing these settings with https://starttls.info/, I get the
following report:
Key exchange
Anonymous Diffie-Hellman is accepted. This is suspectible to
Man-in-the-Middle attacks.
Cipher
Weakest accepted cipher: 0.
So I had a play and to manage to disable those two you would need the
following config:
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
smtp_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
smtpd_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
Which then disable Anonymous DH and the weakest cipher would be 128.
Regards
Thomas
--
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint: CCBD 153A D257 CA7E A217 FDF7 5928 03D1 7588 9415
More information about the Ach
mailing list