Racker Hacker

Disable SSLv2 and Weak Ciphers in Postfix

Enable these two options to disable SSLv2 and also disable ciphers which are less than 128-bit:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

This entry was posted on 08/03/2007 (Thursday) at 9:04 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Printed from: http://rackerhacker.com/2007/03/08/disable-sslv2-and-weak-ciphers-in-postfix/ .
© Major Hayden 2010.

3 Comments   »

• Dennis says:

  30.01.09 at 16:05

  Don't do that. It should be "smtpd_tls_mandatory_ciphers = medium" or "smtpd_tls_mandatory_ciphers = high", using both actual just fubars the whole thing (silently). From the docs it says for medium: "Enable the mainstream "MEDIUM" grade or better".
• Judd says:

  25.02.09 at 11:56

  No go on RHEL4, requires postfix <= 2.3
• Judd says:

  25.02.09 at 11:58

  this works in main.cf though:

  smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
  smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

RSS feed for comments on this post , TrackBack URI

• • Home
  • About the Racker Hacker
  • MySQLTuner
  • Favorite Mac Apps

• My Sites

  • Major's Posterous
  • MySQLTuner
  • PleskHacker

• Social Media

  • Facebook
  • Flickr
  • LinkedIn
  • Twitter

• Web Links

  • 5dollarwhitebox
  • langui.sh
  • rjamestaylor.com
  • Steven Crowder
  • Stuffleufagus
  • Transcend Linux

• RackerHacker's Tweets

  • @sivel You're pretty excited about your pajama pockets. 4 hrs ago
  • @Remy Ooh, that bad? #longliveconan 4 hrs ago
  • @reaperhulk @anoopbhat I can run high bitrate 1080p video on Windows 7 with CoreAVC, but that means running Windows, which makes me gag. in reply to reaperhulk 7 hrs ago
  • @michellegreer Darn, I'm jealous. I'd like to be at that party. ;-) in reply to michellegreer 9 hrs ago
  • @agilejoe I'm tired of wrestling with the OS. in reply to agilejoe 9 hrs ago
  • More updates...

• Recent Comments

  • MonkeyAss on Automatically starting synergy in GDM in Ubuntu/Fedora
  • Torres on Requiring SSL encryption for Wordpress administration
  • Steffen on MySQL: Errcode: 24 when using LOCK TABLES
  • ip_conntrack table is full and dropping packets | My Literature Tech blog on ip_conntrack: table full, dropping packet
  • Deeapk on rpmdb: Lock table is out of available locker entries

• Random Posts

  • MySQL Replication: Breakdown
  • Linux: emergency reboot or shutdown with magic commands
  • Adding SSL encryption to vsftpd
  • MySQL: The total number of locks exceeds the lock table size
  • Add SSL/TLS support to proftpd

• Tags

  apache blog command line database debian development emergency encryption fedora filesystem ftp fun general advice horde iowait iptables kernel kernel panics linux mac mail memory mysql mysqltuner networking optimization performance perl php plesk procmail qmail red hat rpm screencasts security sendmail ssh ssl sysadmin ubuntu vmware web wordpress yum