Hi folks !
I continue my setup, and I have found that Postfix still has SSLv3 support enabled
It’s a weak protocol, and already deprecated in Nginx setup
Simple patch can be do in /etc/postfix/main.cf by adding :
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
maybe it can be added to the Git repo 
Did you check port 25 (allows SSLv3) or port 587 (disallows SSLv3)?
Please see https://github.com/mail-in-a-box/mailinabox/blob/master/security.md for the rationale for why things are as they are.
The Mailserver Check Tool https://de.ssl-tools.net/mailservers Shows that sslv3 is still activated. I think dropping it would make Sense 
I think dropping it would make Sense
We’ll follow what Google does for port 25. If you can check & show to me that Google no longer offers SSLv3 on port 25, we’ll do it.
I lately discovered this too and wondered where the problem was. This explains it. I can follow your argument that Google also allows SSLv3. Nevertheless I applied the recommended settings from cipherlist as an experiment a week ago (see here https://ssl-tools.net/mailservers/box.letterninja.me). Didn’t had any problems yet.
The implications for SMTP are completely different than for the web (HTTPS). I don’t think dropping SSLv3 here makes email any more secure at all, but it could prevent a legacy email server from emailing you or force the legacy server to downgrade to clear text (as bad as SSLv3 is, it’s probably better than clear text).
I don’t want the box to prevent people from getting legitimate mail for no real reason, which is why the SMTP port 25 settings are conservative.
Email Servers like Posteo or Mailbox.org or Other Isps are also not providing sslv3 anymore.
Google still supports SSL on port 25, as does Rackspace for their hosted email services.
This topic was automatically closed after 61 days. New replies are no longer allowed.
