On Wed, Oct 15, 2014 at 05:53:31PM +0200, Luigi Rosa wrote:
> Just to be on the safe side, is it worth to disable SSL v3 on STARTTLS-enabled
> Postfix configurations?
The attacks in question are HTTP-specific, and apply primarily when
clients employ SSLv3 fallback after failing with TLS 1.2 or TLS 1.1.
So there's no need to do anything for SMTP with respect to SSL 3.0.
If you disable SSL 3.0, you won't be able to complete TLS handshakes
with some older, but still in use email security appliances (recent
sightings of these at some banks on the list this year IIRC).
Separately, if your port 587 submission service has no RC4-only
clients you could disable RC4 on the submission service.
smtpd_tls_mandatory_exclude_ciphers = RC4
The recent RC4 weaknesses can leak SASL PLAIN authentication
credentials after a some number of millions of messages are sent
with the same login credentials.
This might break support for older versions of Outlook/Outlook
Express (Windows XP?).
--
Viktor.
