Re: [Ach] DROWN Attack

Tue, 01 Mar 2016 12:27:55 -0800 

Hi,

For previous versions, SSLv2 was also implicitly disabled, e.g. here on
debian wheezy:

$ postconf mail_version
mail_version = 2.9.6h
$ postconf -d | grep SSL
lmtp_tls_mandatory_protocols = !SSLv2
lmtp_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
smtpd_tls_mandatory_protocols = !SSLv2

Also in the docs:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols
> The default value is "!SSLv2, !SSLv3" for Postfix releases after the
middle of 2015, "!SSLv2" for older releases.
According to the paper, it's also default for Exim.

However, we this is not (explicitly) part of our recommendations. We do
not rely on sane defaults, as they are so different and all platforms,
many maintainers have different opinions etc. But the defaults have been
improve in the last year. (Thanks to azet here!)

All in all, it's mostly a documentation issue.

Sebastian

On 03/01/2016 09:08 PM, A. Schulze wrote:
>
> Sebastian:
>
>> Currently, for mailservers we allow SSL for opportunistic TLS encryption
>> between mailservers. For all other cases, SSL is disabled.
>
>
> there is no need to support SSLv2 or SSLv3 for MTA to MTA communication.
> postfix for example disable both protocols by default.
>
> # postconf mail_version
> mail_version = 3.1.0
>
> # postconf -d | grep SSL
> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> lmtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
>
> Andreas
>
> _______________________________________________
> Ach mailing list
> [email protected]
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> -- 
> python programming - mail server - photo - video - https://sebix.at
> cryptographic key at https://sebix.at/DC9B463B.asc and on public keyservers

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Ach mailing list
[email protected]
http://lists.cert.at/cgi-bin/mailman/listinfo/ach

Reply via email to