. Why do you feel compelled to tune these?
smtpd_tls_loglevel = 2
Too verbose. Stick with 1
smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
Why exclude TLSv1.1 and TLSv1.2? See the documentation.
The default is fine, but if you must tweak, exclude just
SSLv2.
smtpd_tls_protocols
On Sun, Feb 08, 2015 at 10:41:50PM -0700, LuKreme wrote:
smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
Why exclude TLSv1.1 and TLSv1.2? See the documentation.
The default is fine, but if you must tweak, exclude just
SSLv2.
smtpd_tls_protocols = !SSLv2
On the submission port
smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions
smtpd_tls_session_cache_timeout = 1800s
# openssl s_client -connect 127.0.0.1:993
… stuff …
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server
On 02/08/2015 06:18 PM, LuKreme wrote:
# openssl s_client -connect 127.0.0.1:993
Port 993 is IMAPS which is not provided by postfix.
Peter
On 07 Feb 2015, at 22:28 , Peter pe...@pajamian.dhs.org wrote:
On 02/08/2015 06:18 PM, LuKreme wrote:
# openssl s_client -connect 127.0.0.1:993
Port 993 is IMAPS which is not provided by postfix.
Yes, of course. Sorry.
--
Gods don't like people not doing much work. People who aren't busy
with 1
smtpd_tls_protocols = TLSv1, !SSLv2, !SSLv3
Why exclude TLSv1.1 and TLSv1.2? See the documentation.
The default is fine, but if you must tweak, exclude just
SSLv2.
smtpd_tls_protocols = !SSLv2
On the submission port (587) you can be more strict.
smtpd_tls_session_cache_database = btree