Is there a way to configure smtpd to only use specified ciphers or limit
it to TLSv1.[12]?
I'm looking for something similar to Dovecot's `ssl_cipher_list` or
Nginx's `ssl_ciphers` or `ssl_protocols` configuration directives.
The reason I ask is because I'm very close to failing my PCI compliance
because of smptd. They score each compliance test from 0 to 9. If any
single score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is
currently receiving a risk score of 3.9. I have a feeling that in the
not too distant future this particular test will fail.
My PCI-DSS vendor, Security Metrics, states that smtpd is "vulnerable to
information disclosure" because of the initialization vector
implementations in SSLv3 and TLSv1.0.
Thier stated resolution is:
"Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use
block ciphers."
I'm not a mail expert, but my feeling is that secured email hasn't been
widespread until recent years. If any MTAs support encryption, they are
probably using the latest protocols and ciphers.
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
