From 8c6363f792fff4310298104d0becc26b16475181 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 5 May 2015 23:14:59 +0000 Subject: [PATCH] bad ciphers were allowed in smtp submssion This disallows aNULL and other bad ciphers in the Postfix submission server. I missed an option in 45e93f7dcc18d588fd7725431cbc900befe33f42 recommended by the blog post I was reading. Fixes #389. --- setup/mail-postfix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index f3cfc065..ce44f943 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -75,7 +75,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \ "submission=inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_milters=inet:127.0.0.1:8891 - -o smtpd_tls_ciphers=high -o smtpd_tls_protocols=!SSLv2,!SSLv3 + -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_protocols=!SSLv2,!SSLv3 -o cleanup_service_name=authclean" \ "authclean=unix n - - - 0 cleanup -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters"