update postfix settings due to DROWN attack
[ach-master.git] / src / configuration / MailServers / Postfix / main.cf
index cd7b9b0..11934b3 100644 (file)
@@ -32,7 +32,16 @@ smtp_tls_loglevel = 1
 smtpd_tls_auth_only = yes
 tls_ssl_options = NO_COMPRESSION
 
+# be explicit about turning off SSLv2 / v3 due to the DROWN attack
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols = !SSLv2, !SSLv3
+
+lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+lmtp_tls_protocols = !SSLv2, !SSLv3
+
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3
+
 smtpd_tls_mandatory_ciphers=high
 tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 smtpd_tls_eecdh_grade=ultra