I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
installation (from Fedora 9 repo). Here is my postconf:
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = mail.network.com, localhost, localhost.localdomain
myhostname = mail.network.com
mynetworks = 127.0.0.0/8, 192.168.0.0/24
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.5.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_security_options = noanonymous
smtp_tls_mandatory_protocols = !SSLv2
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/mail.network.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.network.com.key
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_received_header = yes
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_local_recipient_reject_code = 450
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
And when I try and check (from another machine) to see if it's still active:
openssl s_client -connect 192.168.0.10:25 -ssl2
I get this:
CONNECTED(00000003)
That means it's still answering SSLv2 correct? I am confused as to what
I may be missing to disable this. Can anyone provide any suggestions or
tips? I am using certs signed by a CA, if that makes any difference.
Thanks!
