Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th October 2006, 18:46
ridlo ridlo is offline
Junior Member
 
Join Date: Oct 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Postfix-Tls: disabling SSLv2.0

Heya!

In order to comply with SOX, Securitymetrics has been scanning our machines & gave us this message when scanning our mail server:

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.

Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.


This is a debian box, running sarge (3.1r4), Postfix-TLS 2.1.5-9. We are running SSLv3.0 & TLSv1.0.

So my question is, how do I disable the use of SSLv2.0 with postfix-tls?
Reply With Quote
Sponsored Links
  #2  
Old 11th October 2006, 01:21
ridlo ridlo is offline
Junior Member
 
Join Date: Oct 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Fix

After some exhaustive searches, I discovered smtpd_tls_cipherlist & smtp_tls_cipherlist. I've also read that the directives are a bit outdated, but they seem to be working. Syntax is the same as you would use with the apache directives.

smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
smtp_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix TLS problem - please help! ryanhs HOWTO-Related Questions 17 3rd March 2007 01:55
SASL and TLS problems with Postfix on Ubuntu fish HOWTO-Related Questions 13 7th October 2006 13:47
Postfix, TLS and how to change the certificate wr19026 Server Operation 3 29th April 2006 14:29
postfix TLS cannot read cert ryanhs Server Operation 1 9th March 2006 22:48
postfix starts and stops why lhatle Installation/Configuration 2 21st December 2005 15:20


All times are GMT +2. The time now is 23:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.