[Ach] DROWN Attack
Sebastian
sebix at sebix.at
Tue Mar 1 21:27:04 CET 2016
Hi,
For previous versions, SSLv2 was also implicitly disabled, e.g. here on
debian wheezy:
$ postconf mail_version
mail_version = 2.9.6h
$ postconf -d | grep SSL
lmtp_tls_mandatory_protocols = !SSLv2
lmtp_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
smtpd_tls_mandatory_protocols = !SSLv2
Also in the docs:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols
> The default value is "!SSLv2, !SSLv3" for Postfix releases after the
middle of 2015, "!SSLv2" for older releases.
According to the paper, it's also default for Exim.
However, we this is not (explicitly) part of our recommendations. We do
not rely on sane defaults, as they are so different and all platforms,
many maintainers have different opinions etc. But the defaults have been
improve in the last year. (Thanks to azet here!)
All in all, it's mostly a documentation issue.
Sebastian
On 03/01/2016 09:08 PM, A. Schulze wrote:
>
> Sebastian:
>
>> Currently, for mailservers we allow SSL for opportunistic TLS encryption
>> between mailservers. For all other cases, SSL is disabled.
>
>
> there is no need to support SSLv2 or SSLv3 for MTA to MTA communication.
> postfix for example disable both protocols by default.
>
> # postconf mail_version
> mail_version = 3.1.0
>
> # postconf -d | grep SSL
> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> lmtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
>
> Andreas
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> --
> python programming - mail server - photo - video - https://sebix.at
> cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20160301/991f1ae0/attachment.sig>
More information about the Ach
mailing list