On 9/2/2011 12:28 PM, Michael B Allen wrote: > Hello, > > I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If > I do the following: > > smtpd_tls_mandatory_protocols = SSLv3, TLSv1 > smtpd_tls_mandatory_ciphers = medium, high > > but despite the fact that this configuration has been posted and > reposted about the WWW, it does not actually work. I can still > negotiate SSLv2: > > $ openssl s_client -connect xxxx.xxxxxxx.xxx:25 -starttls smtp -ssl2 > > If I add smtpd_tls_security_level = encrypt it then works but then > plaintext clients cannot connect and it is very unfortunate to find > that real customers still use agents that create plaintext > connections. > Please read the documentation: http://www.postfix.org/postconf.5.html#smtpd_tls_protocols -- this one is for opportunistic i.e. "may" and requires Postfix 2.6 or later. http://www.postfix.org/postconf.5.html#smtpd_mandatory_tls_protocols -- this one is for mandatory i.e. "encrypt"
Brian
