[Ach] DROWN Attack

A. Schulze sca at andreasschulze.de
Tue Mar 1 21:08:36 CET 2016


> Currently, for mailservers we allow SSL for opportunistic TLS encryption
> between mailservers. For all other cases, SSL is disabled.

there is no need to support SSLv2 or SSLv3 for MTA to MTA communication.
postfix for example disable both protocols by default.

# postconf mail_version
mail_version = 3.1.0

# postconf -d | grep SSL
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3


More information about the Ach mailing list