[Ach] Suggested Postfix config allows some weak ciphers - please review
chris at debilux.org
Sat May 3 11:24:52 CEST 2014
> I had a go at your recommended Postfix settings. I am on Debian Wheezy,
> Postfix 2.9.6-2.
> When testing these settings with https://starttls.info/, I get the
> following report:
> Key exchange
> Anonymous Diffie-Hellman is accepted. This is suspectible to
> Man-in-the-Middle attacks.
> Weakest accepted cipher: 0.
I had the same problem on FreeBSD 10.0 with Postfix 2.11.0.
> So I had a play and to manage to disable those two you would need the
> following config:
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_ciphers = high
> smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
> smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
> smtp_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
> smtpd_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
> Which then disable Anonymous DH and the weakest cipher would be 128.
This fixed it for me too.
E-Mail/Jabber: chris at debilux.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach