On Mon, May 21, 2018 at 2:08 PM, Viktor Dukhovni <postfix-us...@dukhovni.org > wrote:
> > > > On May 21, 2018, at 1:16 PM, Sean Son <linuxmailinglistsem...@gmail.com> > wrote: > > > > Hello all > > > > I have opportunistic TLS (offering STARTLS) configured in my main.cf > file. I have been tasked to disable SSLv2 and SSLv3 as well as disable > medium strength ciphers (to use high strength ones instead) in my postfix > server. If I was to add the following to my main.cf: > > > > > > smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 > > smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 > > smtpd_tls_protocols=!SSLv2,!SSLv3 > > smtp_tls_protocols=!SSLv2,!SSLv3 > > These are default settings in all recent versions of Postfix. > > $ postconf -d | egrep '^[^ ]*mtpd?_tls.*_protocols' > lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > lmtp_tls_protocols = !SSLv2, !SSLv3 > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_protocols = !SSLv2, !SSLv3 > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_protocols = !SSLv2, !SSLv3 > > > will this be enough to disable medium strength ciphers as well > > No. In OpenSSL 1.0.2 the medium ciphers are typically RC4, 3DES, IDEA and > SEED. > Only RC4 is occasionally the only cipher supported by ancient Windows > (2003) SMTP > servers. When you disable RC4, those servers will send in the clear. > That is > likely not a problem for you, so if you wish to disable the "medium" > ciphers, you'll > need: > > smtpd_tls_ciphers = high > > > Also would this configuration cause any issues with the opportunistic > > TLS configuration that I already have set up in my main.cf? > > It'll force ancient RC4-only implementations to send in the clear or > perhaps not be able to send at all. By now that should be quite > rare, but I don't disable "medium" on my server. Instead: > > smtpd_tls_ciphers = medium > tls_preempt_cipherlist = yes > > Allows the server to choose the strongest cipher supported by > the client. On the client side I have: > > smtp_tls_ciphers = medium > smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5 > > leaving RC4/3DES enabled (if still supported by the underlying OpenSSL > library, recent versions tend to come with RC4 and 3DES disabled). > > -- > Viktor. > > Hello Viktor and Bill Thank you for your responses. Here is what my current version of Postfix, version 2.10.1 ( I am using RHEL 7 and this is the latest postfix version), default settings are for SSL: # postconf -d | egrep '^[^ ]*mtpd?_tls.*_protocols' lmtp_tls_mandatory_protocols = !SSLv2 lmtp_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_protocols = !SSLv2 smtpd_tls_mandatory_protocols = !SSLv2 smtpd_tls_protocols = i was informed by our security team that my postfix server has SSL Version 2 and 3 protocol detected and SSL Medium Strength Cipher suites supported. I am supposed to fix those two issues. Any suggestions on what I should do to fix them with out breaking opportunistic TLS is greatly appreciated! Thank you
