Is the following reasonable and/or acceptable, and a better question -
will it work?
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, IDEA, 3DES, MD5, SRP, PSK, aDSS,
kECDHe, kECDhr, kDHd, kDHr, SEED, IDEA, RC2, RC5
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = no
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
*/smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers/**/
/**/smtpd_tls_protocols = $smtp_tls_protocols/**/
/**/smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols/*
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_received_header = yes
On 2016-03-03 12:34 AM, Viktor Dukhovni wrote:
On Wed, Mar 02, 2016 at 10:22:12PM -0700, Richard B. Pyne wrote:
I've added all but the forward secrecy part on my email server running
postfix 2.10.1 (the latest in the CentOS7 repository), and
test.drownattack.com still reports vulnerability on port 25. Any help will
be greatly appreciated.
The data at that site is cached from prior scans:
https://test.drownattack.com/
This tool uses data collected during February 2016. It does
not immediately update as servers patch.
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr,
SEED, IDEA, RC2
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
These look good.
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
As do these. You're all set. But also upgrade to either of OpenSSL
1.0.2g or 1.0.1s, or whatever your O/S ships for backported fixes.
Consider removing any of the above that happen to be default settings
for your Postfix version as reported by "postconf -d".
