On Wed, Jan 11, 2017 at 09:27:25PM +0000, Fazzina, Angelo wrote:
> I plan on changing my postfix config from
> smtpd_tls_exclude_ciphers = RC4, aNULL
> smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2
>
> to
>
> smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2
> smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL
If you want to disable triple-DES ciphers, use "3DES", rather than
the first two exclusions above.
> I ran this
> openssl ciphers -v ALL|grep -v SSLv3 |grep -v SSLv2
DO NOT confuse SSLv3 ciphers (many of which are still used and
needed for interoperability in TLS 1.0, TLS 1.1, and TLS 1.2) with
the SSLv3 protocol.
The set of ciphers supported when SSLv2/SSLv3 are disabled still
includes many SSLv3 ciphers.
--
Viktor.
