Enable these two options to disable SSLv2 and also disable ciphers which are less than 128-bit:
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high
Racker Hacker
Words of wisdom from a server administratorDisable SSLv2 and Weak Ciphers in Postfix
This entry was posted on 08/03/2007 (Thursday) at 9:04 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Printed from: http://rackerhacker.com/2007/03/08/disable-sslv2-and-weak-ciphers-in-postfix/ .
© Major Hayden 2010.
© Major Hayden 2010.
3 Comments »
Leave a Reply
My Sites
Recent Comments
Random Posts
Tags
apache blog command line database debian development emergency fedora filesystem ftp fun general advice horde iowait iptables kernel kernel panics linux mac mail memory mysql mysqltuner network networking optimization performance perl php plesk qmail rackspace red hat rpm ruby security sendmail ssl sysadmin twitter ubuntu vmware web wordpress yum
Don't do that. It should be "smtpd_tls_mandatory_ciphers = medium" or "smtpd_tls_mandatory_ciphers = high", using both actual just fubars the whole thing (silently). From the docs it says for medium: "Enable the mainstream "MEDIUM" grade or better".
No go on RHEL4, requires postfix <= 2.3
this works in main.cf though:
smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3