Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation
Reload this Page Blocking SSLv2 in Postfix (2.7) for PCI compliance
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th December 2010, 18:20
mjames85 mjames85 is offline
Junior Member
  
Join Date: Dec 2010
Posts: 1
Thanks: 0
Thanked 1 Time in 1 Post
Post Blocking SSLv2 in Postfix (2.7) for PCI compliance
Just posting this for the record as it took half a days googling and trial-and-error to get it blocked.

add the following to your main.cf config file:

Code:
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_protocols = SSLv3, TLSv1, !SSLv2
smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
then just do a postfix reload. eg.

Code:
/etc/init.d/postfix reload
to check it's actually disabled use the following openssl command

Code:
openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2
which should give you something like this:

Code:
CONNECTED(00000003)
write:errno=104
as opposed to the SSL3 test

Code:
openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl3
CONNECTED(00000003)

....

SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: AB6C68095ADFA60119F4845485D840A62DEB5B519E803510692F1BBCD71199CD
    Session-ID-ctx:
    Master-Key: 8BA2691B5EEEA9AE6752D804F0B0700C0792E7AD6BC6D19416B819EF5014FA80FAC51E124DFFB083C70A547AF522C149
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1292001315
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
220 mail.xxxxxxxxx.net ESMTP Postfix
Reply With Quote
The Following User Says Thank You to mjames85 For This Useful Post:
falko (11th December 2010)
Sponsored Links
  #2  
Old 25th July 2011, 19:18
emdok emdok is offline
Junior Member
  
Join Date: Feb 2009
Posts: 18
Thanks: 0
Thanked 1 Time in 1 Post
 
Default
Any advice for disabling sslv2 on Postfix 2.3 (rhel) ?
Reply With Quote
Reply

Bookmarks

Tags
pci, postfix, sslv2, sslv3, tls1

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mail authentication failure - unknown user or password evok Installation/Configuration 9 16th October 2010 06:37
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 11:14
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 08:26.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.