Disable SSLv2 and Weak Ciphers in Postfix

Enable these two options to disable SSLv2 and also disable ciphers which are less than 128-bit:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

Printed from: http://rackerhacker.com/2007/03/08/disable-sslv2-and-weak-ciphers-in-postfix/ .
© Major Hayden 2012.

3 Comments   »

  • Dennis says:

    Don't do that. It should be "smtpd_tls_mandatory_ciphers = medium" or "smtpd_tls_mandatory_ciphers = high", using both actual just fubars the whole thing (silently). From the docs it says for medium: "Enable the mainstream "MEDIUM" grade or better".

  • Judd says:

    No go on RHEL4, requires postfix <= 2.3

  • Judd says:

    this works in main.cf though:

    smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

RSS feed for comments on this post

Leave a Reply

 

  • Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.
    -- Major Hayden

    Flattr this