How to disable SSLv3 in Postfix 2.11?
11,403
The tools were not lying!
The solution have to look this way:
# inbound
smtpd_tls_security_level = may
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp[d]_tls_security_level== "may":smtp[d]_tls_protocolsis usedsmtp[d]_tls_security_level== "encrypt":smtp[d]_tls_mandatory_protocolsis usedsmtp[d]_tls_security_level== "none": none of these two parameters is used
Related videos on Youtube
10 : 41
How to Enable TLS(Transport Layer Security) Encryption in Postfix Mail Server
18 : 24
Enable SSL TLS in Postfix + Dovecot Mail Server (Port 465 993 995 587 SMTPS IMAPS POPS)
05 : 26
How to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 in Windows 10
01 : 33
How to Disable SSLv3 and SSLv2 on Windows Server, for IIS
01 : 19 : 48
CentOS 8 - Postfix SMTP, Dovecot POP IMAP and SSL/TLS
08 : 40
How to disable SSL 2, SSL3, TLS 1.0 and TLS 1.1 with Group Policy
01 : 40
DevOps & SysAdmins: How to disable SSLv3 in Postfix 2.11?
Author by
burnersk
Updated on September 18, 2022Comments
-
burnersk over 1 year
I just noticed (by some online check tools) that my mailserver may allow SSLv3 and updated my configuration.
My current config in Postfix 2.11.2:
# inbound smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 # outbound smtp_tls_security_level = may smtp_tls_mandatory_protocols = !SSLv2 !SSLv3Unfortunately the tools keep saying SSLv3 is accepted.
How to convert the desired (nginx) configuration into Postfix (inbound and outbound) one?
Using Debian/7, Postfix/2.11.2, OpenSSL/1.0.1e
-
masegaloeh about 9 yearsUnlike HTTP, SMTP doesn't force its peer to connect through secure channel even our server was capable to do it. That's why postfix has two variations of smtp[d]_tls_protocols: mandatory and opportunistic. See this documentation page to see difference between opportunistic and mandatory. -
masegaloeh about 9 yearsIn other words, if you use the configuration above, a MTA which doesn't support TLS will fails to send email to you. And you can't send email to MTA who don't support TLS too. That's why, according to RFC 2487 mandatory mode MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
-
burnersk about 9 yearsWell, there is still unencrypted 25. So MTA should fallback to unencrypted, right?
-
masegaloeh about 9 yearsWell, I'm not sure because you don't provide your complete TLS configuration. In short: smtpd_tls_protocols will used when your
smtpd_tls_security_level = may; smtpd_tls_mandatory_protocols will be used whensmtpd_tls_security_level = encrypt; Whensmtpd_tls_security_level = nonepostfix won't use both parameter . So, here two questions for you (1) Did your online tools scan port 25 too (2) What the output ofpostconf smtpd_tls_security_levelcommand? -
masegaloeh about 9 yearsJust reminder: don't forget to accept your own answer so this question would be left in unanswered state :)