3

I just noticed (by some online check tools) that my mailserver may allow SSLv3 and updated my configuration.

My current config in Postfix 2.11.2:

# inbound
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3

Unfortunately the tools keep saying SSLv3 is accepted.

How to convert the desired (nginx) configuration into Postfix (inbound and outbound) one?

Using Debian/7, Postfix/2.11.2, OpenSSL/1.0.1e

burnersk
  • 1,966
  • 4
  • 25
  • 38
  • Are you sure the tool test smtp and not https ? You can test with tools like sslscan http://manpages.ubuntu.com/manpages/lucid/man1/sslscan.1.html – YuKYuK Feb 19 '15 at 12:22
  • 1
    What's the hostname of the machine? Then we can check extensively ourselves. – sebix Feb 19 '15 at 12:52
  • The issue was that I used onle `smtp[d]_tls_mandatory_protocols`. There is also (undocumentated) `smtp[d]_tls_protocols` which also have to be set that way. I will answer my quesion once I finaly fixed the issue with the cipher suites. – burnersk Feb 21 '15 at 09:18
  • I had split up the question, the question related to cipher suites is now located here: http://serverfault.com/questions/670348/how-to-force-a-own-set-of-ciphers-in-postfix-2-11 – burnersk Feb 21 '15 at 09:32

1 Answers1

9

The tools were not lying!

The solution have to look this way:

# inbound
smtpd_tls_security_level = may
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# outbound
smtp_tls_security_level = may
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
  • smtp[d]_tls_security_level == "may": smtp[d]_tls_protocols is used
  • smtp[d]_tls_security_level == "encrypt": smtp[d]_tls_mandatory_protocols is used
  • smtp[d]_tls_security_level == "none": none of these two parameters is used
burnersk
  • 1,966
  • 4
  • 25
  • 38
  • 1
    Unlike HTTP, SMTP **doesn't force its peer** to connect through secure channel even our server was capable to do it. That's why postfix has two variations of smtp[d]_tls_protocols: mandatory and opportunistic. See [this documentation page](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) to see difference between opportunistic and mandatory. – masegaloeh Feb 21 '15 at 10:06
  • 1
    In other words, if you use the configuration above, **a MTA which doesn't support TLS** will fails to send email to you. And you can't send email to MTA who don't support TLS too. That's why, according to RFC 2487 mandatory mode MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers. – masegaloeh Feb 21 '15 at 10:09
  • Well, there is still unencrypted 25. So MTA should fallback to unencrypted, right? – burnersk Feb 21 '15 at 10:13
  • 1
    Well, I'm not sure because you don't provide your complete TLS configuration. In short: smtpd_tls_protocols will used when your `smtpd_tls_security_level = may`; smtpd_tls_mandatory_protocols will be used when `smtpd_tls_security_level = encrypt`; When `smtpd_tls_security_level = none` postfix won't use both parameter . So, here two questions for you (1) Did your online tools scan port 25 too (2) What the output of `postconf smtpd_tls_security_level` command? – masegaloeh Feb 21 '15 at 10:22
  • 1
    Good to know that you set smtp[d] _tls_security_level = may. With this mode, client who doesn't support TLS will fallback to unencrypted channel. But if an ancient client support TLS but doesn't support TLSv1 protocol and higher, then the connection may fails. – masegaloeh Feb 21 '15 at 11:32
  • Just reminder: don't forget to accept your own answer so this question would be left in unanswered state :) – masegaloeh Feb 22 '15 at 13:19