Monday, October 27, 2014

Disable SSLv3 in Postfix, Dovecot


Disabling certain versions of SSL works like this in Postfix:

In your /etc/postfix/ add or modify the following config parameter like so:


If you are using mandatory TLS you'll want to set this instead:


These should be fairly self-explanatory, but for further detail read the Postfix configuration parameters documentation.

Do not forget to restart Postfix!


In dovecot, add the following to your configuration:

ssl_protocols = !SSLv2 !SSLv3

...and restart Dovecot. If you use a version of Dovecot older than 2.1, upgrade and then do the above.

Wednesday, October 15, 2014

Test your SSL setup

Qualys offers a great tool that will check your server for SSL config issues, such as weak ciphers and outdated protocol versions.