On 17/02/17 11:43, Fazzina, Angelo wrote: > Hi,
Hi, Angelo. Thanks for your prompt reply. > Here is how I am dealing with "weak ciphers" > You may be able to do the same type of config ? > > > In /etc/postfix/main.cf > > > # -ALF 2016-09-07 > # disable RC4 ciphers with TLS connections. > #smtpd_tls_exclude_ciphers = RC4, aNULL > # -ALF 2017-01-09 > # disable weak ciphers, and RC4 ciphers > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL > #-ALF 2107-01-09 > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, > EDH-RSA-DES-CBC3-SHA, RC4, aNULL I tried this configuration and I get in the test that now it does not found weak ciphers. Thanks for sharing! So I think this would replace this lines of https://cipherli.st: ------------------------------------------------------------------ smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = AES128+EECDH:AES128+EDH ------------------------------------------------------------------ right? Or do you think some of those other lines should be included? What do you think of the other lines mentioned? ------------------------------------------------------------------ smtpd_use_tls=yes smtpd_tls_security_level = may (X) smtpd_tls_auth_only = yes smtpd_tls_cert_file=/etc/ssl/postfix.cert smtpd_tls_key_file=/etc/ssl/postfix.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X) ------------------------------------------------------------------ Currently I have not configured the lines with an "X". I'm using currently "smtpd_tls_security_level = may" that use TLS if this is supported by the remote SMTP server, otherwise use plaintext. But I'm not using "smtpd_tls_security_level = may". I see the default value for this parameter is empty. Is that equivalent to "none"? Thanks for your time. Kind regards, Daniel
signature.asc
Description: OpenPGP digital signature