Can this SASL configuration be improved

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Can this SASL configuration be improved

DecebalICT
In my main.cf I have:
############################################################
# SASL stuff
############################################################
smtp_sasl_auth_enable = yes
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_auth_enable = no
# Because of POODLE vulnerability
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

​Is this OK, or can it be improved?​

--
Cecil Westerhof
Reply | Threaded
Open this post in threaded view
|

RE: Can this SASL configuration be improved

angelo

Hi,

Have you considered limiting weak ciphers ?

 

smtpd_tls_exclude_ciphers =

 

 

-ALF

 

-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Cecil Westerhof
Sent: Friday, May 26, 2017 11:23 AM
To: Postfix users <[hidden email]>
Subject: Can this SASL configuration be improved

 

In my main.cf I have:
############################################################
# SASL stuff
############################################################
smtp_sasl_auth_enable = yes
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_auth_enable = no
# Because of POODLE vulnerability
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

 

​Is this OK, or can it be improved?​


--

Cecil Westerhof

Reply | Threaded
Open this post in threaded view
|

Re: Can this SASL configuration be improved

Viktor Dukhovni

> On May 26, 2017, at 11:29 AM, Fazzina, Angelo <[hidden email]> wrote:
>
> Have you considered limiting weak ciphers ?
>  
> smtpd_tls_exclude_ciphers =

That layer of tweak is neither recommended nor needed.  What is recommended is:

        smtpd_tls_ciphers = medium
        smtp_tls_ciphers = medium

these are default values in reasonably recent versions of Postfix.

As to the OP's question without a description of the requirements, it can't
be answered.  His settings are fairly normal.  Most of these are TLS settings,
is there perhaps confusion between "SASL" and "SSL"?

More specific questions, get more meaningful answers.

--
        Viktor.