Postfix-Tls: disabling SSLv2.0

Discussion in 'Server Operation' started by ridlo, Oct 10, 2006.

  1. ridlo

    ridlo New Member


    In order to comply with SOX, Securitymetrics has been scanning our machines & gave us this message when scanning our mail server:

    Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.

    Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

    Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

    This is a debian box, running sarge (3.1r4), Postfix-TLS 2.1.5-9. We are running SSLv3.0 & TLSv1.0.

    So my question is, how do I disable the use of SSLv2.0 with postfix-tls?
  2. ridlo

    ridlo New Member


    After some exhaustive searches, I discovered smtpd_tls_cipherlist & smtp_tls_cipherlist. I've also read that the directives are a bit outdated, but they seem to be working. Syntax is the same as you would use with the apache directives.

    smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
    smtp_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

Share This Page