Hi
I use that link:
https://jonathansblog.co.uk/how-to-remove-or-disable-sslv2-and-enable-sslv3-and-tlsv1-in-courier-imap-apache-and-qmail
>
> This is not a problem in newer OS's because SSLv3 protocol has been
> removed from newer versions of OpenSSL, so you can pick a ciphersuite
> with the strongest of the old ciphers and it will use the TLSv1 and/or
> TLSv1_1 protocols, which are supported by most older OS's.
>
> If you are savvy/brave enough (I am not), you can recompile OpenSSL
> with SSLv3 protocol disabled. That is really the effect you want, and
> may be the only way to get it for incoming connections to qmail.
>
> This has been a very long-winded way to say that I don't think you can
> easily accomplish that which you wish.
>
> FYI: this is the issue which prompted me to upgrade from Centos5 to
> Centos7.
>
> -Andy
>
>
> PS: It would be nice to have a qmail patch which allows specifying the
> protocols in a file called /control/tlsserverprotocols.
>
>
>
>
>
> On 4/22/2020 2:53 PM, Eric Broch wrote:
>> Doesn't '!SSLv3' in your ciphers mean NO SSLv3 is accepted? So, your
>> command should be
>>
>> openssl s_client -connect mx.domain.ltd:25 -starttls smtp -no_ssl3
>>
>> not the following command which forces ssl3...
>>
>> openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3
>>
>> Correct?
>>
>> On 4/22/2020 9:57 AM, natan maciej milaszewski wrote:
>>> Hi
>>> I have a debian8 and qmail with tcpserver
>>>
>>> I have big problem with disable sslv3 - or I dont understand
>>>
>>>
>>> i crate /var/qmail/control/tlsserverciphers
>>> and put:
>>> ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM
>>>
>>> naw I restart qmail via svc:
>>>
>>> svc -d /service/qmail-smtpd
>>> svc -u /service/qmail-smtpd
>>> svc -d /service/qmail
>>> svc -u /service/qmail
>>>
>>>
>>> and tested via openssl s_client -connect host:25 -starttls smtp -ssl3
>>> and I thinking sslv3 working
>>>
>>>
>>> openssl s_client -connect mx.domain.ltd:25 -starttls smtp -ssl3
>>> CONNECTED(0003)
>>> write:errno=104
>>> ---
>>> no peer certificate available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 127 bytes and written 0 bytes
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> No ALPN negotiated
>>> SSL-Session:
>>> Protocol : SSLv3
>>> Cipher :
>>> Session-ID:
>>> Session-ID-ctx:
>>> Master-Key:
>>> Key-Arg : None
>>> Krb5 Principal: None
>>> PSK identity: None
>>> PSK identity hint: None
>>> Start Time: 1587570345
>>> Timeout : 7200 (sec)
>>> Verify return code: 0 (ok)
>>> ---
>>>
>>> What i doing wrong ?
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>> For additional commands, e-mail:
>>> qmailtoaster-list-h...@qmailtoaster.com
>>>
>>
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
