On 21 May 2018, at 13:16 (-0400), Sean Son wrote:
Hello all
I have opportunistic TLS (offering STARTLS) configured in my main.cf
file. I have been tasked to disable SSLv2 and SSLv3 as well as
disable
medium strength ciphers (to use high strength ones instead) in my
postfix
server. If I was to add the following to my main.cf:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
These are already the defaults in currently supported versions of
Postfix.
will this be enough to disable medium strength ciphers as well as
disable
SSLv2/v3?
No.
Or will I need more?
To disable ciphers, you'd need to set smtpd_tls_ciphers and
smtp_tls_ciphers.
Also would this configuration cause any
issues with the opportunistic TLS configuration that I already have
set up
in my main.cf?
Of course. The more tightly you restrict the options available for
opportunistic TLS, the more often you will fall back to entirely
unencrypted transport of mail OR simply be unable to exchange mail at
all with some sites.
Disabling "medium" strength ciphers is not a wise choice for
public-facing SMTP.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole