Disable TLS v1.0 & 1.1
Posted: 02 Mar 2019 12:52
Hi,
We have been using these for a little while, and during a routine penetration test we were advised about still having Triple DES and also having TLS v1 & 1.1 enabled.
So I took to google to find out, and not a lot was evident. However I have managed to disable Triple Des and also set my EFA to only accept TLS v1.2.
If this is something you need to do, or want to do here is how:
In
To
To remove TripleDes:
Change this line:
To this:
Removing
:ECDH+3DES:DH+3DES & RSA+3DES:
A restart of Postfix does the trick.
I used
testssh on a kali box to test:
Hope this helps someone
ElFranko
We have been using these for a little while, and during a routine penetration test we were advised about still having Triple DES and also having TLS v1 & 1.1 enabled.
So I took to google to find out, and not a lot was evident. However I have managed to disable Triple Des and also set my EFA to only accept TLS v1.2.
If this is something you need to do, or want to do here is how:
In
Change:/etc/postfix/main.cf
Code: Select all
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
Code: Select all
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
To remove TripleDes:
Change this line:
Code: Select all
tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Code: Select all
tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
:ECDH+3DES:DH+3DES & RSA+3DES:
A restart of Postfix does the trick.
I used
testssh on a kali box to test:
Hope this helps someone
ElFranko