On Sun, Feb 08, 2015 at 10:41:50PM -0700, LuKreme wrote:
> >> smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
> >
> > Why exclude TLSv1.1 and TLSv1.2? See the documentation.
> > The default is fine, but if you must tweak, exclude just
> > "SSLv2".
> >
> > smtpd_tls_protocols = !SSLv2
> >
> > On the submission port (587) you can be more strict.
>
> OK, thank you for the feedback. Some of the settings were simply leftovers
> I never changed, and I thought we wanted to exclude SSLv3 now.
With main.cf parameter overrides, less is more. The "we" in question
is people trying to secure HTTPS (mandatory TLS) in web browsers.
With opportunistic TLS in SMTP, some protection is better than none.
https://tools.ietf.orf/html/rfc7435
While SSLv3 will no longer be needed in 2-5 years from now, as
ancient Exchange 2003 servers are phased out, there is no need to
rush out and preemptively disable it in opportunistic TLS as used
in MTA to MTA SMTP.
Depending on who your users correspond with, you may not lose much
by disabling SSLv3, but you'll not gain anything by doing so.
However, while turning of SSLv3 (if you so choose) do not disable
TLSv1.1 and TLSv1.2.
Recommended:
smtpd_tls_protocols = !SSLv2
Mostly harmless:
smtpd_tls_protocols = !SSLv2, !SSLv3
--
Viktor.
