How to disable SSLv3 in Postfix 2.11?
11,403
The tools were not lying!
The solution have to look this way:
# inbound
smtpd_tls_security_level = may
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp[d]_tls_security_level
== "may":smtp[d]_tls_protocols
is usedsmtp[d]_tls_security_level
== "encrypt":smtp[d]_tls_mandatory_protocols
is usedsmtp[d]_tls_security_level
== "none": none of these two parameters is used
Related videos on Youtube
Author by
burnersk
Updated on September 18, 2022Comments
-
burnersk over 1 year
I just noticed (by some online check tools) that my mailserver may allow SSLv3 and updated my configuration.
My current config in Postfix 2.11.2:
# inbound smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 # outbound smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
Unfortunately the tools keep saying SSLv3 is accepted.
How to convert the desired (nginx) configuration into Postfix (inbound and outbound) one?
Using Debian/7, Postfix/2.11.2, OpenSSL/1.0.1e
-
masegaloeh about 9 yearsUnlike HTTP, SMTP doesn't force its peer to connect through secure channel even our server was capable to do it. That's why postfix has two variations of smtp[d]_tls_protocols: mandatory and opportunistic. See this documentation page to see difference between opportunistic and mandatory.
-
masegaloeh about 9 yearsIn other words, if you use the configuration above, a MTA which doesn't support TLS will fails to send email to you. And you can't send email to MTA who don't support TLS too. That's why, according to RFC 2487 mandatory mode MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
-
burnersk about 9 yearsWell, there is still unencrypted 25. So MTA should fallback to unencrypted, right?
-
masegaloeh about 9 yearsWell, I'm not sure because you don't provide your complete TLS configuration. In short: smtpd_tls_protocols will used when your
smtpd_tls_security_level = may
; smtpd_tls_mandatory_protocols will be used whensmtpd_tls_security_level = encrypt
; Whensmtpd_tls_security_level = none
postfix won't use both parameter . So, here two questions for you (1) Did your online tools scan port 25 too (2) What the output ofpostconf smtpd_tls_security_level
command? -
masegaloeh about 9 yearsJust reminder: don't forget to accept your own answer so this question would be left in unanswered state :)