Bastian Blank wrote:
On Mon, Jul 27, 2009 at 08:03:20AM -0400, Wietse Venema wrote:
Jake Vickers:
Now I know I posted the other day about disabling SSLv2, but if I add
That solution was for MANDATORY TLS encryption. If TLS is not mandatory,
then disabling SSLv2 is pointless: you allow plaintext email.
I don't think this is completely correct. I can still have
authentication only enabled over secure connections
(smtpd_tls_auth_only) but allow unencrypted connections for normal mail.
Then SSLv2 can't be considered as secure.
Bastian
If you want to allow TLS+SASL on port 25 AND disable SSLv2 for
those connections, you need postfix 2.6 or newer.
http://www.postfix.org/postconf.5.html#smtpd_tls_protocols
If you can't use postfix 2.6 or newer, just don't allow SASL
on port 25. Require your clients to use 587 or 465 with
required TLS on both ports.
-- Noel Jones
