On Fri, Sep 2, 2011 at 1:51 PM, Wietse Venema <wie...@porcupine.org> wrote: > Michael B Allen: >> On Fri, Sep 2, 2011 at 12:41 PM, Wietse Venema <wie...@porcupine.org> wrote: >> > Michael B Allen: >> >> Hello, >> >> >> >> I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If >> >> I do the following: >> >> >> >> smtpd_tls_mandatory_protocols = SSLv3, TLSv1 >> >> smtpd_tls_mandatory_ciphers = medium, high >> > >> > This is for mandatory TLS. >> > >> >> If I add smtpd_tls_security_level = encrypt it then works but then >> > >> > You are using opportunistic TLS instead of mandatory TLS. As >> > documented, that is controlled with smtpd_tls_protocols/ciphers. >> >> Hi Wietse, >> >> But it seems the smtpd_tls_protocols/ciphers directives are specific to 2.6? >> >> Is there any way to disable SSLv2 in postfix 2.3? > > If you use opportunistic TLS then you are willing to accept plaintext, > i.e. no security. Under those conditions, it does not matter what > cipher or crypto protocol the client uses.
Hi Wietse, My objectives are not driven by or based on logic. They are based on the requirements of a consortium of credit card companies and banks. I will look at alternative packages for CentOS. Or maybe I will have to move to CentOS 6. > BTW, Postfix 2.3 was developed in 2005, released in 2006, and support > was terminated in 2009. This is off-topic but you may know that CentOS (which is RedHat repackaged without the branding) backports all fixes. Meaning an issue identified in 2.6 would be addressed as a patch in their 2.3 package (if necessary). So they do not solely rely on upstream support. They are going for stability and longevity. That is why I use CentOS / RedHat and I suspect that is why you continue to get this question on the list. Unlike most Linux distributions, they continue to update packages for 4 years or so because that is about how long it takes for hardware to become obsolete or breakdown. Some very popular distributions like Ubuntu and Fedora almost always stop updating after only a year or so. This is one reason why I believe that Linux is not going to gain market share over other operating systems. Mike
