Disable SSLv3 too, because of Poodle.

We will need to get rid of RC4, unfortunately this is the only cypher some
old exchange machines understand. Also falling back to clear text from
STARTTLS is more and more frowned upon.

On Wed, Mar 2, 2016 at 1:45 PM, Matthew Huff <mh...@ox.com> wrote:

> If your mail server still is advertising SSLv2, you SSL private key may be
> vulnerable.
>
> https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack
>
> What's worse, if you are using a wildcard cert, then any other server that
> is using the same cert can be trivially decrypted even if that server is
> only using TLS1.2 and strong cyphers.
>
> I know that there are a number of broken email servers that will bounce
> mail if TLS is negotiated but they can't negotiate older SSL  or weaker
> cyphers, but it's probably a good idea to either: 1) Disable TLS, or 2)
> Disable SSLv2
>
> ----
> Matthew Huff             | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC       | Phone: 914-460-4039
> aim: matthewbhuff        | Fax:   914-694-5669
>
>
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to