Blocking SSLv2 in Postfix (2.7) for PCI compliance

Discussion in 'Server Operation' started by mjames85, Dec 10, 2010.

  1. mjames85

    mjames85 New Member

    Just posting this for the record as it took half a days googling and trial-and-error to get it blocked.

    add the following to your main.cf config file:

    Code:
    smtpd_tls_security_level = may
    smtpd_tls_auth_only = yes
    smtpd_tls_protocols = SSLv3, TLSv1, !SSLv2
    smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL
    then just do a postfix reload. eg.

    Code:
    /etc/init.d/postfix reload
    to check it's actually disabled use the following openssl command

    Code:
    openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2
    which should give you something like this:

    Code:
    CONNECTED(00000003)
    write:errno=104
    as opposed to the SSL3 test

    Code:
    openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl3
    CONNECTED(00000003)
    
    ....
    
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID: AB6C68095ADFA60119F4845485D840A62DEB5B519E803510692F1BBCD71199CD
        Session-ID-ctx:
        Master-Key: 8BA2691B5EEEA9AE6752D804F0B0700C0792E7AD6BC6D19416B819EF5014FA80FAC51E124DFFB083C70A547AF522C149
        Key-Arg   : None
        Krb5 Principal: None
        Start Time: 1292001315
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    220 mail.xxxxxxxxx.net ESMTP Postfix
     
  2. emdok

    emdok New Member

    Any advice for disabling sslv2 on Postfix 2.3 (rhel) ?
     
: pci, postfix, sslv2, sslv3, tls1

Share This Page