On Wed, Mar 02, 2016 at 10:22:12PM -0700, Richard B. Pyne wrote:
> I've added all but the forward secrecy part on my email server running
> postfix 2.10.1 (the latest in the CentOS7 repository), and
> test.drownattack.com still reports vulnerability on port 25. Any help will
> be greatly appreciated.
The data at that site is cached from prior scans:
https://test.drownattack.com/
This tool uses data collected during February 2016. It does
not immediately update as servers patch.
> smtp_tls_ciphers = medium
> smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd,
> kDHr, SEED, IDEA, RC2
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
These look good.
> smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
As do these. You're all set. But also upgrade to either of OpenSSL
1.0.2g or 1.0.1s, or whatever your O/S ships for backported fixes.
Consider removing any of the above that happen to be default settings
for your Postfix version as reported by "postconf -d".
--
Viktor.
