Just posting this for the record as it took half a days googling and trial-and-error to get it blocked. add the following to your main.cf config file: Code: smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_protocols = SSLv3, TLSv1, !SSLv2 smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL then just do a postfix reload. eg. Code: /etc/init.d/postfix reload to check it's actually disabled use the following openssl command Code: openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2 which should give you something like this: Code: CONNECTED(00000003) write:errno=104 as opposed to the SSL3 test Code: openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl3 CONNECTED(00000003) .... SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: AB6C68095ADFA60119F4845485D840A62DEB5B519E803510692F1BBCD71199CD Session-ID-ctx: Master-Key: 8BA2691B5EEEA9AE6752D804F0B0700C0792E7AD6BC6D19416B819EF5014FA80FAC51E124DFFB083C70A547AF522C149 Key-Arg : None Krb5 Principal: None Start Time: 1292001315 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- 220 mail.xxxxxxxxx.net ESMTP Postfix
