Postfix – How to Disable SSLv3 in Postfix 2.11

opensslpostfixsslstarttlstls

I just noticed (by some online check tools) that my mailserver may allow SSLv3 and updated my configuration.

My current config in Postfix 2.11.2:

# inbound
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3

Unfortunately the tools keep saying SSLv3 is accepted.

How to convert the desired (nginx) configuration into Postfix (inbound and outbound) one?

Using Debian/7, Postfix/2.11.2, OpenSSL/1.0.1e

Best Answer

The tools were not lying!

The solution have to look this way:

# inbound
smtpd_tls_security_level = may
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

smtp[d]_tls_security_level == "may": smtp[d]_tls_protocols is used
smtp[d]_tls_security_level == "encrypt": smtp[d]_tls_mandatory_protocols is used
smtp[d]_tls_security_level == "none": none of these two parameters is used

Related Solutions

Ssl – How to force a own set of ciphers in Postfix 2.11

From Applied Crypto Hardening by bettercrypto.org:

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

[UPDATE: As the bettercrypto project, where I have the cipher-string from, is no longer active, make sure to chose your cipher-string from a current source.]

For master.cf you may want to configure the submission port to TLS only:

submission inet n - - - - smtpd
 -o smtpd_tls_security_level=encrypt
 -o tls_preempt_cipherlist=yes

However, this does not disallow usage of outdated ciphers for security level may, according to pull request #97, you can do this with:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

But this has not been merged with the following reason:

I am going to close this, SSLv3 makes sense here since it's better than good ol' plaintext.

Postfix authenticate disable smtp port 25, but 587

Add this in your master.cf:

submission inet n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  ...

And remove smtpd_sasl_auth_enable = yes from your main.cf leaving the default no.

Best Answer

Related Solutions

Ssl – How to force a own set of ciphers in Postfix 2.11

Postfix authenticate disable smtp port 25, but 587

Related Topic