[Ach] disable SSLv2 + SSLv3 howto

A. Schulze sca at andreasschulze.de
Wed Oct 15 14:54:11 CEST 2014


to check, which protocols are enabled in postfix:
# postconf | grep '_tls_protocols'

to check, what's currently spoken:

< inbound >
# grep 'TLS connection established from' /var/log/mail | sed -e  
's/^.*\]\: //' -e 's/ with cipher.*//' | sort | uniq -c

< outbound >
# grep 'TLS connection established to' /var/log/mail | sed -e  
's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c

to disable SSLv2 + SSLv3 in postfix:
# postconf -e 'lmtp_tls_protocols = !SSLv2,!SSLv3'
# postconf -e 'smtp_tls_protocols = !SSLv2,!SSLv3'
# postconf -e 'smtpd_tls_protocols = !SSLv2,!SSLv3'
# postfix reload

to use only TLS1 and TLS1.2 in nginx, add this inside the http { } section:
ssl_protocols = TLSv1 TLSv1.2;

to disable SSLv2 and SSLv3 in dovecot, add this to dovecot.conf:
ssl_protocols = !SSLv2 !SSLv3

please check if your version support this feature at all. This advise  
is valid for current releases.


More information about the Ach mailing list