Disable SSLv2 and Weak Ciphers in Postfix

Enable these two options to disable SSLv2 and also disable ciphers which are less than 128-bit:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

This entry was posted on 08/03/2007 (Thursday) at 9:04 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Printed from: http://rackerhacker.com/2007/03/08/disable-sslv2-and-weak-ciphers-in-postfix/ .
© Major Hayden 2012.

3 Comments   »

  • Dennis says:
    30.01.09 at 16:05

    Don't do that. It should be "smtpd_tls_mandatory_ciphers = medium" or "smtpd_tls_mandatory_ciphers = high", using both actual just fubars the whole thing (silently). From the docs it says for medium: "Enable the mainstream "MEDIUM" grade or better".

  • Judd says:
    25.02.09 at 11:56

    No go on RHEL4, requires postfix <= 2.3

  • Judd says:
    25.02.09 at 11:58

    this works in main.cf though:

    smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3


RSS feed for comments on this post

Leave a Reply

 

  • Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.
    -- Major Hayden

    Flattr this