Disabling SSLv3 in Postfix

Dark Knight Poodle
Some rights reserved by greg westfall.

The POODLE attack was made public late 2014 and as most vendors have taken action to solve possible issues related to POODLE. The time definitely has come to close SSLv3 in all parts of public facing infrastructure. By default Postfix still only disallows SSLv2 and hopefully this will change in the form of stricter default behaviour in Postfix or distributions/vendors that stop shipping SSLv3 libraries.

For now you can set with the postconf command restrictions which protocols shouldn’t be used by Postfix.

$ sudo postconf -e smtpd_tls_mandatory_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtpd_tls_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3
$ sudo postconf -e smtp_tls_protocols=\!SSLv2,\!SSLv3

As this is a change to /etc/postfix/main.cf Postfix can be reloaded to reread the configuration, but it may be smarter to just restart Postfix to make it effective for all connection from the moment Postfix restarts.

$ sudo systemctl restart postfix.service

All encrypted sessions Postfix allows will require TLSv1+. The next step will be to disable the RC4 cipher suite, but will do that in another posting.

One Reply to “Disabling SSLv3 in Postfix”

Comments are closed.