Heya! In order to comply with SOX, Securitymetrics has been scanning our machines & gave us this message when scanning our mail server: Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. This is a debian box, running sarge (3.1r4), Postfix-TLS 2.1.5-9. We are running SSLv3.0 & TLSv1.0. So my question is, how do I disable the use of SSLv2.0 with postfix-tls?
Fix After some exhaustive searches, I discovered smtpd_tls_cipherlist & smtp_tls_cipherlist. I've also read that the directives are a bit outdated, but they seem to be working. Syntax is the same as you would use with the apache directives. smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL smtp_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL