git.bettercrypto.org / ach-master.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
update postfix settings due to DROWN attack
[ach-master.git] / src / configuration / MailServers / Postfix / main.cf
diff --git a/src/configuration/MailServers/Postfix/main.cf b/src/configuration/MailServers/Postfix/main.cf
index 15aede5..11934b3 100644 (file)
--- a/src/configuration/MailServers/Postfix/main.cf
+++ b/src/configuration/MailServers/Postfix/main.cf
@@ -32,9 +32,18 @@ smtp_tls_loglevel = 1
 smtpd_tls_auth_only = yes
 tls_ssl_options = NO_COMPRESSION
 
+# be explicit about turning off SSLv2 / v3 due to the DROWN attack
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols = !SSLv2, !SSLv3
+
+lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+lmtp_tls_protocols = !SSLv2, !SSLv3
+
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_protocols = !SSLv2, !SSLv3
+
 smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 smtpd_tls_eecdh_grade=ultra
 
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
applied crypto hardening (master repo)