This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Do we need Ciphers in Postfix Dovecot configs?

3 posts / 0 new

Topic locked

Last post

#1 Wed, 10/11/2017 - 09:04

Jfro

Do we need Ciphers in Postfix Dovecot configs?

Ciphers some weak are not default excluded, but don't know are they needed or a howto in the WIKI / DOCS Virtualmin?

As http://postfix.1071664.n5.nabble.com/Strong-Ciphers-to-use-with-Postfix-... default testing could give this result

Algorithm weak
         ECDHE_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_SHA

    SSLv3

https://ssl-tools.net/mailservers

and example

# TLS Server
smtpd_tls_exclude_ciphers = RC4, aNULL
# TLS Client
smtp_tls_exclude_ciphers = RC4, aNULL

the aNULL for blocking anonymous DH and ECDH algorithms to avoid MITM attacks

#2 Thu, 10/12/2017 - 02:45

Jfro

Ok maybe should be new topic, or offtopic but the ssllabs test for https://www.virtualmin.com gives B grade while also something with cipher protocol, don;t know this site is running on VM6? This server accepts RC4 cipher, but only with older protocols. Grade capped to B. 3 RC4 insecure ciphers plus extra 4 weak other ciphers in test.

We have A+ but not using the Apache part ( package)VM6.01 GPL

#3 Tue, 10/17/2017 - 04:10 (Reply to #2)

Jfro

Yea better change/add/delete some ciphers i think, don't know or the aNULL will help to prevent MITM attacks on the new WIFI LEAK, while ofcourse its about [WIFI Clients] and [AP] but ....

https://www.krackattacks.com/#details-android

Topic locked