Prev-20 Home Next-20 2 msg postmap header_checks error 10 msg mailbox_command (dovecot lda) stopped working, ... 5 msg mynetworks via LDAP lookup 7 msg Local recipient table in LDAP problem 2 msg proxy_read_maps 1 msg smtpd_restriction_class and it's lookup 8 msg Message Rejected 12 msg Customize to filter attachment ? 2 msg Relay question 14 msg unnecessary routing? 4 msg do not use 'reject_maps_rbl'? 9 msg Fwd: Postfix in OpenVZ. 2 msg bypass body_checks for local mail? 4 msg catchall with relay_recipient_maps 4 msg 'Name server failure' is output 3 msg smtp_sasl_password_maps lookups 16 msg Postfix Queues on a Ram Disk 15 msg sendmail compared to smtp sending 3 msg Postfix does not recognize remote emails How to disable SSLv2 on smtpd opportunistic TLS? \ Brian Wong (22 Jan 2008) . \ Victor Duchovni (22 Jan 2008) Prev-20 Home Next-20

Prev-Msg Prev-Thread Postfix-users Jan-2008 Next-Thread Next-Msg Subject: Re: How to disable SSLv2 on smtpd opportunistic TLS? Group: Postfix-users From: Victor Duchovni Date: 22 Jan 2008 On Tue, Jan 22, 2008 at 05:37:45PM -0500, Brian Wong wrote: > My users use SMTP AUTH when they are off-site to relay email. I have > Postfix version 2.4.6 listening on port 25 with opportunistic TLS. The > relevant lines of the configuration read > > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > > Auditors do not want SSLv2 available and I am not sure how to disable > this protocol for opportunistic TLS. I see the option is available > when the security level is mandatory but I do not see the option for > when it is opportunistic. > > Have I missed something? No, this is not available with Postfix 2.4 or 2.5, the opportunistic cipher/protocol controls feature is slated for early 2.6 snapshots, circa May 2008. The draft code is written, but it has not yet been subjected to code review. The patch is rather compact: File Old lines New lines Delta ------------------------------------------------------------------------- TOTAL 16 42 26 src/global/mail_params.h 0 16 16 src/smtp/smtp_session.c 14 13 -1 src/smtpd/smtpd.c 2 7 5 src/smtp/smtp_params.c 0 2 2 src/smtp/lmtp_params.c 0 2 2 src/smtp/smtp.c 0 2 2 So it should not prove too difficult to adopt. But there was a finite amount of time to review TLS changes for 2.5 and this feature did not make it. > If this is not possible I will probably resort to making port 25 > available only to those on-site and port 587 available publicly. The > smtpd daemon listening on 587 will have the following options > > smtpd_tls_security_level = encrypt > smtpd_tls_auth_only = yes > smtpd_tls_mandatory_protocols = SSLv3, TLSv1 (the default) > That's one work-around. The other is a policy service that only accepts relaying by SASL authenticated TLS clients if the TLS protocol is not SSLv2. Users could still use SSLv2, but relaying would not be permitted. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. Prev-Msg Prev-Thread Postfix-users Jan-2008 Next-Thread Next-Msg

© 2004-2008 readlist.com