Re: POODLE: smtpd_tls_mandatory_protocols question

On Thu, Oct 16, 2014 at 09:02:04AM -0700, Grant wrote: > >> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > >> > >> The above is said to work with: > >> > >> smtpd_tls_security_level = encrypt > > > > Correct, since at that security level TLS is mandatory. > > > >> but does it work with: > >> > >

Re: POODLE: smtpd_tls_mandatory_protocols question

>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 >> >> The above is said to work with: >> >> smtpd_tls_security_level = encrypt > > Correct, since at that security level TLS is mandatory. > >> but does it work with: >> >> smtpd_tls_security_level = may >> smtpd_tls_auth_only = yes > > No, for that

Re: POODLE: smtpd_tls_mandatory_protocols question

On Thu, Oct 16, 2014 at 07:14:52AM +0200, Robert Schetterer wrote: > >> 4 SSLv3 > >> 22353 TLSv1 > >> > >> 2 SSLv3 > >> 17664 TLSv1 > > > > Yep, "slightly negative". The magnitude of the effect will vary > > from site to site. > > Yes you're right My own small server, had six SSLv3 inbound

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 23:32 schrieb Viktor Dukhovni: > On Wed, Oct 15, 2014 at 11:06:14PM +0200, Robert Schetterer wrote: > >>> Viktor Dukhovni: >>> POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll no

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 23:06 schrieb Robert Schetterer: Am 15.10.2014 um 22:44 schrieb A. Schulze: Viktor Dukhovni: POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll now use cleartext with SSLv3-only SMTP peers.

Re: POODLE: smtpd_tls_mandatory_protocols question

Harald Koch: (RC4 on the other hand - Google and Yahoo are both still using it by default... *sigh.) If *you* disable RC4, they *will* use other ciphers ...

Re: POODLE: smtpd_tls_mandatory_protocols question

On Wed, Oct 15, 2014 at 11:06:14PM +0200, Robert Schetterer wrote: > > Viktor Dukhovni: > > > >> POODLE is not an SMTP attack. No need to panic. Disabling SSL > >> 3.0 may feel good, but the net effect is slightly negative, since > >> you'll now use cleartext with SSLv3-only SMTP peers. > > >

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 23:11 schrieb Harald Koch: > On 15 October 2014 17:06, Robert Schetterer > wrote: > > > doesnt look loosing much here > > 4 SSLv3 > 22353 TLSv1 > > 2 SSLv3 > 17664 TLSv1 > > > When I did this I saw about the same number of SSLv3 c

Re: POODLE: smtpd_tls_mandatory_protocols question

On 15 October 2014 17:06, Robert Schetterer wrote: > > doesnt look loosing much here > > 4 SSLv3 > 22353 TLSv1 > > 2 SSLv3 > 17664 TLSv1 > > When I did this I saw about the same number of SSLv3 connections so I looked at them in detail and every one was a SPAM attempt. (RC4 on the other hand

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 22:44 schrieb A. Schulze: > > Viktor Dukhovni: > >> POODLE is not an SMTP attack. No need to panic. Disabling SSL >> 3.0 may feel good, but the net effect is slightly negative, since >> you'll now use cleartext with SSLv3-only SMTP peers. > > to calculate the damage, count: >

Re: POODLE: smtpd_tls_mandatory_protocols question

Viktor Dukhovni: POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll now use cleartext with SSLv3-only SMTP peers. to calculate the damage, count: < inbound > # grep 'TLS connection established from' /var/lo

Re: POODLE: smtpd_tls_mandatory_protocols question

On Wed, Oct 15, 2014 at 11:27:04AM -0700, Grant wrote: > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > > The above is said to work with: > > smtpd_tls_security_level = encrypt Correct, since at that security level TLS is mandatory. > but does it work with: > > smtpd_tls_security_level = ma