On Thu, Oct 16, 2014 at 09:02:04AM -0700, Grant wrote:
> >> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> >>
> >> The above is said to work with:
> >>
> >> smtpd_tls_security_level = encrypt
> >
> > Correct, since at that security level TLS is mandatory.
> >
> >> but does it work with:
> >>
> >> smtpd_tls_security_level = may
> >> smtpd_tls_auth_only = yes
> >
> > No, for that you'd have to also needlessly change smtpd_tls_protocols.
> >
> > POODLE is not an SMTP attack. No need to panic. Disabling SSL
> > 3.0 may feel good, but the net effect is slightly negative, since
> > you'll now use cleartext with SSLv3-only SMTP peers.
>
> Wouldn't these used in combination require TLS for authentication?
>
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_protocols = !SSLv2, !SSLv3
Authentication should generally be limited to the submission port.
On the submission port, there is still no exposure to POODLE, your
main crypto weakness is RC4 and even that's remote for most users
(it would take me O(100 years) to send enough messages).
--
Viktor.
