Hello, I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If I do the following:
smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_mandatory_ciphers = medium, high but despite the fact that this configuration has been posted and reposted about the WWW, it does not actually work. I can still negotiate SSLv2: $ openssl s_client -connect xxxx.xxxxxxx.xxx:25 -starttls smtp -ssl2 If I add smtpd_tls_security_level = encrypt it then works but then plaintext clients cannot connect and it is very unfortunate to find that real customers still use agents that create plaintext connections. Of course I know what someone is going to say: Why disable SSLv2 if clients can connect using plaintext? The reason is because of something called PCI DSS which is a security standard for the credit card processing industry. If you want to process credit card numbers on your server without being extra liable for exposing them to bad guys, you have to pass PCI compliance and the vulnerability companies that scan servers for compliance mindlessly flag anything that does SSLv2 as bad (it is mindless because of course they cannot flag accepting plaintext connections as bad because then the server could not accept a significant amount of email and if customers cannot pass their vulnerability scan they wiill not purchase their service). So, is there any way to disable SSLv2 without requiring encryption? Mike
