> On May 21, 2018, at 1:16 PM, Sean Son <linuxmailinglistsem...@gmail.com>
> wrote:
>
> Hello all
>
> I have opportunistic TLS (offering STARTLS) configured in my main.cf file.
> I have been tasked to disable SSLv2 and SSLv3 as well as disable medium
> strength ciphers (to use high strength ones instead) in my postfix server.
> If I was to add the following to my main.cf:
>
>
> smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
> smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
> smtpd_tls_protocols=!SSLv2,!SSLv3
> smtp_tls_protocols=!SSLv2,!SSLv3
These are default settings in all recent versions of Postfix.
$ postconf -d | egrep '^[^ ]*mtpd?_tls.*_protocols'
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
> will this be enough to disable medium strength ciphers as well
No. In OpenSSL 1.0.2 the medium ciphers are typically RC4, 3DES, IDEA and SEED.
Only RC4 is occasionally the only cipher supported by ancient Windows (2003)
SMTP
servers. When you disable RC4, those servers will send in the clear. That is
likely not a problem for you, so if you wish to disable the "medium" ciphers,
you'll
need:
smtpd_tls_ciphers = high
> Also would this configuration cause any issues with the opportunistic
> TLS configuration that I already have set up in my main.cf?
It'll force ancient RC4-only implementations to send in the clear or
perhaps not be able to send at all. By now that should be quite
rare, but I don't disable "medium" on my server. Instead:
smtpd_tls_ciphers = medium
tls_preempt_cipherlist = yes
Allows the server to choose the strongest cipher supported by
the client. On the client side I have:
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
leaving RC4/3DES enabled (if still supported by the underlying OpenSSL
library, recent versions tend to come with RC4 and 3DES disabled).
--
Viktor.
