> On May 21, 2018, at 1:16 PM, Sean Son <linuxmailinglistsem...@gmail.com> > wrote: > > Hello all > > I have opportunistic TLS (offering STARTLS) configured in my main.cf file. > I have been tasked to disable SSLv2 and SSLv3 as well as disable medium > strength ciphers (to use high strength ones instead) in my postfix server. > If I was to add the following to my main.cf: > > > smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 > smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 > smtpd_tls_protocols=!SSLv2,!SSLv3 > smtp_tls_protocols=!SSLv2,!SSLv3
These are default settings in all recent versions of Postfix. $ postconf -d | egrep '^[^ ]*mtpd?_tls.*_protocols' lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 lmtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 > will this be enough to disable medium strength ciphers as well No. In OpenSSL 1.0.2 the medium ciphers are typically RC4, 3DES, IDEA and SEED. Only RC4 is occasionally the only cipher supported by ancient Windows (2003) SMTP servers. When you disable RC4, those servers will send in the clear. That is likely not a problem for you, so if you wish to disable the "medium" ciphers, you'll need: smtpd_tls_ciphers = high > Also would this configuration cause any issues with the opportunistic > TLS configuration that I already have set up in my main.cf? It'll force ancient RC4-only implementations to send in the clear or perhaps not be able to send at all. By now that should be quite rare, but I don't disable "medium" on my server. Instead: smtpd_tls_ciphers = medium tls_preempt_cipherlist = yes Allows the server to choose the strongest cipher supported by the client. On the client side I have: smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 leaving RC4/3DES enabled (if still supported by the underlying OpenSSL library, recent versions tend to come with RC4 and 3DES disabled). -- Viktor.