On Mon, May 21, 2018 at 5:21 PM, Viktor Dukhovni <postfix-us...@dukhovni.org > wrote:
> > > > On May 21, 2018, at 5:16 PM, Sean Son <linuxmailinglistsem...@gmail.com> > wrote: > > > > lmtp_tls_mandatory_protocols = !SSLv2 > > lmtp_tls_protocols = !SSLv2 > > smtp_tls_mandatory_protocols = !SSLv2 > > smtp_tls_protocols = !SSLv2 > > smtpd_tls_mandatory_protocols = !SSLv2 > > smtpd_tls_protocols = > > > > i was informed by our security team that my postfix server has SSL > Version 2 and 3 protocol detected and SSL Medium Strength Cipher suites > supported. I am supposed to fix those two issues. Any suggestions on what > I should do to fix them with out breaking opportunistic TLS is greatly > appreciated! > > Change the settings to the posted Postfix 3.0+ defaults. > As for the medium ciphers. Set "smtpd_tls_ciphers" and/or > "smtp_tls_ciphers" to "high" if your logs for the past few > months don't show any use of weaker ciphers (apart from any > connections by internet-wide security scanners, which you > should be able to recognize). > > -- > Viktor. > > Thank you Viktor.. I am still confused though: When I tried to add the Postfix 3.0+ TLS settings to my main.cf file and I restarted postfix, I did a postconf -d | egrep '^[^ ]*mtpd?_tls.*_protocols' . but it still shows me the old settings Also, if I set smtpd_tls_ciphers" and/or "smtp_tls_ciphers" to "high" , won't that conflict with opportunistic TLS. You had mentioned that adding those settings would force RC4 only implementations t o send in the clear.. Won't that be a problem with opportunistic TLS? I am totally confused here.
