# postconf -n | grep _tls_
smtp_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_ciphers = high
# is smtp_tls_exclude needed?
smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_loglevel = 2
smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions
smtpd_tls_session_cache_timeout = 1800s
# openssl s_client -connect 127.0.0.1:993
… stuff …
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 74C111205F8DC120D0A5ABAFD1CA5BE88523F775B5DCF0D13529D685369CF2ED
Session-ID-ctx:
Master-Key:
ED4BB02DA0BDD821E96B0EAE1A6B3BA1E5147473A637A651B8D1B72CD72470512F6842652F61A37952FEC01DF321D20F
Key-Arg : None
Start Time: 1423372148
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Doesn’t "New, TLSv1,SSLv3” indicate that SSLv3 is still allowed?
--
the first man to hear the voice of Om, and who gave Om his view of
humans, was a shepherd and not a goatherd. They have quite different
ways of looking at the world, and the whole of history might have been
different. For sheep are stupid and have to be driven. But goats are
intelligent and have to be led. (Small Gods)
