Do we need Ciphers in Postfix Dovecot configs?

3 posts / 0 new
Last post
#1 Wed, 10/11/2017 - 09:04
Jfro

Do we need Ciphers in Postfix Dovecot configs?

Ciphers some weak are not default excluded, but don't know are they needed or a howto in the WIKI / DOCS Virtualmin?

As http://postfix.1071664.n5.nabble.com/Strong-Ciphers-to-use-with-Postfix-... default testing could give this result

Algorithm weak
         ECDHE_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_SHA

    SSLv3

https://ssl-tools.net/mailservers

and example

# TLS Server
smtpd_tls_exclude_ciphers = RC4, aNULL
# TLS Client
smtp_tls_exclude_ciphers = RC4, aNULL

the aNULL for blocking anonymous DH and ECDH algorithms to avoid MITM attacks

Thu, 10/12/2017 - 02:45
Jfro

Ok maybe should be new topic, or offtopic but the ssllabs test for https://www.virtualmin.com gives B grade while also something with cipher protocol, don;t know this site is running on VM6? This server accepts RC4 cipher, but only with older protocols. Grade capped to B. 3 RC4 insecure ciphers plus extra 4 weak other ciphers in test.

We have A+ but not using the Apache part ( package)VM6.01 GPL

Tue, 10/17/2017 - 04:10 (Reply to #2)
Jfro

Yea better change/add/delete some ciphers i think, don't know or the aNULL will help to prevent MITM attacks on the new WIFI LEAK, while ofcourse its about [WIFI Clients] and [AP] but ....

https://www.krackattacks.com/#details-android

Topic locked