[Ach] disable SSLv2 + SSLv3 howto

Aaron Zauner azet at azet.org
Wed Oct 15 15:00:12 CEST 2014


We're currently having a discussion on the IETF UTA WG on the topic, the
postfix maintainer is arguing that disabling RC4, SSLv3 etc will cause
plaintext fallback for MTA<->MTA traffic. Which is - as far as I can tell -
correct for servers that do not support TLS properly (or legacy clients).

https://www.ietf.org/mail-archive/web/uta/current/maillist.html

So; configure your mailserver with caution, it might be unable to handle a
large percentage of mail traffic.

Aaron

On Wed, Oct 15, 2014 at 2:54 PM, A. Schulze <sca at andreasschulze.de> wrote:

>
> Hello,
>
> to check, which protocols are enabled in postfix:
> # postconf | grep '_tls_protocols'
>
> to check, what's currently spoken:
>
> < inbound >
> # grep 'TLS connection established from' /var/log/mail | sed -e 's/^.*\]\:
> //' -e 's/ with cipher.*//' | sort | uniq -c
>
> < outbound >
> # grep 'TLS connection established to' /var/log/mail | sed -e
> 's/^.*\]:25\: //' -e 's/ with cipher.*//' | sort | uniq -c
>
> to disable SSLv2 + SSLv3 in postfix:
> # postconf -e 'lmtp_tls_protocols = !SSLv2,!SSLv3'
> # postconf -e 'smtp_tls_protocols = !SSLv2,!SSLv3'
> # postconf -e 'smtpd_tls_protocols = !SSLv2,!SSLv3'
> # postfix reload
>
> to use only TLS1 and TLS1.2 in nginx, add this inside the http { } section:
> ssl_protocols = TLSv1 TLSv1.2;
>
> to disable SSLv2 and SSLv3 in dovecot, add this to dovecot.conf:
> ssl_protocols = !SSLv2 !SSLv3
>
> please check if your version support this feature at all. This advise is
> valid for current releases.
>
> Andreas
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20141015/02c7f192/attachment.html>


More information about the Ach mailing list