Disable SSLv3 too, because of Poodle. We will need to get rid of RC4, unfortunately this is the only cypher some old exchange machines understand. Also falling back to clear text from STARTTLS is more and more frowned upon.
On Wed, Mar 2, 2016 at 1:45 PM, Matthew Huff <mh...@ox.com> wrote: > If your mail server still is advertising SSLv2, you SSL private key may be > vulnerable. > > https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack > > What's worse, if you are using a wildcard cert, then any other server that > is using the same cert can be trivially decrypted even if that server is > only using TLS1.2 and strong cyphers. > > I know that there are a number of broken email servers that will bounce > mail if TLS is negotiated but they can't negotiate older SSL or weaker > cyphers, but it's probably a good idea to either: 1) Disable TLS, or 2) > Disable SSLv2 > > ---- > Matthew Huff | 1 Manhattanville Rd > Director of Operations | Purchase, NY 10577 > OTA Management LLC | Phone: 914-460-4039 > aim: matthewbhuff | Fax: 914-694-5669 > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop