Hi I use that link: https://jonathansblog.co.uk/how-to-remove-or-disable-sslv2-and-enable-sslv3-and-tlsv1-in-courier-imap-apache-and-qmail
> > This is not a problem in newer OS's because SSLv3 protocol has been > removed from newer versions of OpenSSL, so you can pick a ciphersuite > with the strongest of the old ciphers and it will use the TLSv1 and/or > TLSv1_1 protocols, which are supported by most older OS's. > > If you are savvy/brave enough (I am not), you can recompile OpenSSL > with SSLv3 protocol disabled. That is really the effect you want, and > may be the only way to get it for incoming connections to qmail. > > This has been a very long-winded way to say that I don't think you can > easily accomplish that which you wish. > > FYI: this is the issue which prompted me to upgrade from Centos5 to > Centos7. > > -Andy > > > PS: It would be nice to have a qmail patch which allows specifying the > protocols in a file called /control/tlsserverprotocols. > > > > > > On 4/22/2020 2:53 PM, Eric Broch wrote: >> Doesn't '!SSLv3' in your ciphers mean NO SSLv3 is accepted? So, your >> command should be >> >> openssl s_client -connect mx.domain.ltd:25 -starttls smtp -no_ssl3 >> >> not the following command which forces ssl3... >> >> openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3 >> >> Correct? >> >> On 4/22/2020 9:57 AM, natan maciej milaszewski wrote: >>> Hi >>> I have a debian8 and qmail with tcpserver >>> >>> I have big problem with disable sslv3 - or I dont understand >>> >>> >>> i crate /var/qmail/control/tlsserverciphers >>> and put: >>> ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM >>> >>> naw I restart qmail via svc: >>> >>> svc -d /service/qmail-smtpd >>> svc -u /service/qmail-smtpd >>> svc -d /service/qmail >>> svc -u /service/qmail >>> >>> >>> and tested via openssl s_client -connect host:25 -starttls smtp -ssl3 >>> and I thinking sslv3 working.... >>> >>> >>> openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3 >>> CONNECTED(00000003) >>> write:errno=104 >>> --- >>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 127 bytes and written 0 bytes >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> No ALPN negotiated >>> SSL-Session: >>> Protocol : SSLv3 >>> Cipher : 0000 >>> Session-ID: >>> Session-ID-ctx: >>> Master-Key: >>> Key-Arg : None >>> Krb5 Principal: None >>> PSK identity: None >>> PSK identity hint: None >>> Start Time: 1587570345 >>> Timeout : 7200 (sec) >>> Verify return code: 0 (ok) >>> --- >>> >>> What i doing wrong ? >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: >>> [email protected] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
