drop SSLv3, RC4 ciphers from SMTP port 25

Per http://googleappsupdates.blogspot.ro/2016/05/disabling-support-for-sslv3-and-rc4-for.html, Google is about to do the same. fixes #611

drop SSLv3, RC4 ciphers from SMTP port 25
Per http://googleappsupdates.blogspot.ro/2016/05/disabling-support-for-sslv3-and-rc4-for.html, Google is about to do the same. fixes #611
3055f9a7 · Joshua Tauberer · fac8477b · 3055f9a7 · 3055f9a7 · 3055f9a7
Commit 3055f9a7 authored Jun 12, 2016 by Joshua Tauberer
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 71 deletions

CHANGELOG.md CHANGELOG.md +1 -0

security.md security.md +1 -1

mail-postfix.sh setup/mail-postfix.sh +2 -1

tls_results.txt tests/tls_results.txt +40 -69

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ In Development
 Mail:
 * Roundcube is updated to version 1.2.0.
+* SSLv3 and RC4 are now no longer supported in incoming and outgoing mail (SMTP port 25).
 v0.18c (June 2, 2016)
 ---------------------

--- a/security.md
+++ b/security.md
@@ -101,7 +101,7 @@ Incoming Mail
 ### Encryption
-As discussed above, there is no way to require on-the-wire encryption of mail. When the box receives an incoming email (SMTP on port 25), it offers encryption (STARTTLS) but cannot require that senders use it because some senders may not support STARTTLS at all and other senders may support STARTTLS but not with the latest protocols/ciphers. To give senders the best chance at making use of encryption, the box offers protocols back to SSLv3 and ciphers with key lengths as low as 112 bits. Modern clients (senders) will make use of the 256-bit ciphers and Diffie-Hellman ciphers with a 2048-bit key for forward secrecy, however. ([source](setup/mail-postfix.sh))
+As discussed above, there is no way to require on-the-wire encryption of mail. When the box receives an incoming email (SMTP on port 25), it offers encryption (STARTTLS) but cannot require that senders use it because some senders may not support STARTTLS at all and other senders may support STARTTLS but not with the latest protocols/ciphers. To give senders the best chance at making use of encryption, the box offers protocols back to TLSv1 and ciphers with key lengths as low as 112 bits. Modern clients (senders) will make use of the 256-bit ciphers and Diffie-Hellman ciphers with a 2048-bit key for perfect forward secrecy, however. ([source](setup/mail-postfix.sh))
 ### DANE

--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -122,8 +122,9 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
+	smtpd_tls_protocols=\!SSLv2,\!SSLv3 \
 	smtpd_tls_ciphers=medium \
-	smtpd_tls_exclude_ciphers=aNULL \
+	smtpd_tls_exclude_ciphers=aNULL,RC4 \
 	smtpd_tls_received_header=yes
 # Prevent non-authenticated users from sending mail that requires being

--- a/tests/tls_results.txt
+++ b/tests/tls_results.txt