[Ach] Suggested Postfix config allows some weak ciphers - please review
Christian Busch
chris at debilux.org
Sat May 3 11:24:52 CEST 2014
Hi,
> Hello,
>
> I had a go at your recommended Postfix settings. I am on Debian Wheezy,
> Postfix 2.9.6-2.
>
> When testing these settings with https://starttls.info/, I get the
> following report:
>
> Key exchange
> Anonymous Diffie-Hellman is accepted. This is suspectible to
> Man-in-the-Middle attacks.
>
> Cipher
> Weakest accepted cipher: 0.
I had the same problem on FreeBSD 10.0 with Postfix 2.11.0.
> So I had a play and to manage to disable those two you would need the
> following config:
>
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_ciphers = high
> smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
> smtpd_tls_exclude_ciphers = aNULL, DES, RC4, MD5
> smtp_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
> smtpd_tls_mandatory_exclude_ciphers = aNULL, DES, RC4, MD5
>
> Which then disable Anonymous DH and the weakest cipher would be 128.
This fixed it for me too.
Regards
chris
--
E-Mail/Jabber: chris at debilux.org
PGP-Key: 0x62E3232F
Web: http://debilux.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140503/cfdd3f24/attachment.sig>
More information about the Ach
mailing list