Hi, I have a postfix-3.5.10 system and having a little trouble configuring it to ensure I'm not including any vulnerable ciphers. I had previously posted about this issue in September, and thought I followed the instructions I was given, but a recent security scan (onsecurity) shows port 25 is still vulnerable to the SWEET32 attack.
For reference to previously discussion: https://www.mail-archive.com/postfix-users@postfix.org/msg92857.html This system is just a general smtp/submission/pop/imap box with no mandatory crypto/certificate requirements. We also don't need to maintain compatibility with legacy systems. Here are my current settings: # postconf -n -c /etc/postfix-117|grep -E 'tls|cipher' smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/cert.pem smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED smtpd_tls_key_file = /etc/letsencrypt/privkey.pem smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION What am I missing? Is this redhat.com article accurate? https://access.redhat.com/articles/1468593 I believe I was told that trying to explicitly define the cipher list was a bad idea. Thanks, Alex
