http://disablessl3.com/
When I ran a series of email server checks, I was surprised that one claimed to disable ssl3 to avoid the poodle hack. Seems very unlikely to me. Anyway, the link above does suggest doing that. Original Message From: Alice Wonder Sent: Sunday, November 8, 2015 1:23 PM To: postfix-users@postfix.org Subject: Re: Weak Ciphers To be RFC compliant port 25 must accept MTA to MTA connections with no encryption. When another server can't connect with encryption, it will try without. Allowing weak ciphers is better than the result where ciphers are not used because the other server only supports older ciphers in my opinion. Hopefully DANE will largely solve this, as we can instruct our mail servers when the other server has a TLSA record to only connect using a strong cipher and not connect at all otherwise. I'm hoping eventually that becomes standard where every mail server MUST use TLSA records but I don't know if that will ever happen. On 11/08/2015 04:52 AM, John Allen wrote: > I ran the ssl-tools tests on my mail server. > Everything seems to be OK, *BUT* it reports that i am using a weak > cipher "ECDHE_RSA_WITH_RC4_128_SHA"! > > So I sat down and googled - postfix/dovecot/apache - ciphers > suites/recommendations less than one year old. > I gave up at about the fifteenth response. Everyone of them was > different and gave me lists of cipher ranging in length from about eight > to almost a full web page. > > Would somebody point me in the right direction. I am trying to make my > installation secure, but manageable. > >
