Hi, I plan on changing my postfix config from smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2
to smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2 smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL I ran this openssl ciphers -v ALL|grep -v SSLv3 |grep -v SSLv2 before and after the change on my test server and it lists 32 ciphers each time. My questions: 1. can i turn up postfix debug level to see the actual cipher chosen when a mail server connects to my mail server ? My master.cf looks like this: smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Do i just add some -vv onto submission and smtps and start watching the /var/log/maillog file to see if the ciphers chosen are in the logs ? Thank you, and if you need more info from me please ask. -ALF -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG, Server Systems 860-486-9075
