|SUBJECT ||Subject: [Hangout - NYLXS] TLS ciphers
I have a postfix-3.5.10 system and having a little trouble configuring
it to ensure I'm not including any vulnerable ciphers. I had
previously posted about this issue in September, and thought I
followed the instructions I was given, but a recent security scan
(onsecurity) shows port 25 is still vulnerable to the SWEET32 attack.
For reference to previously discussion:
This system is just a general smtp/submission/pop/imap box with no
mandatory crypto/certificate requirements. We also don't need to
maintain compatibility with legacy systems.
Here are my current settings:
# postconf -n -c /etc/postfix-117|grep -E 'tls|cipher'
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/cert.pem
smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED
smtpd_tls_key_file = /etc/letsencrypt/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION
What am I missing? Is this redhat.com article accurate?
I believe I was told that trying to explicitly define the cipher list
was a bad idea.
Hangout mailing list