13

I have make a security check of our postfix server on https://de.ssl-tools.net/mailservers and get a warning that "ECDHE_RSA_WITH_RC4_128_SHA" is still supported. But don't know how to disable that ...

Steffen
  • 989
  • 3
  • 13
  • 31

1 Answers1

22

Add to your main.cf:

# TLS Server
smtpd_tls_exclude_ciphers = RC4, aNULL
# TLS Client
smtp_tls_exclude_ciphers = RC4, aNULL
Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
  • Why did you add the `aNULL` cipher to that list? – Marian Oct 03 '16 at 20:43
  • 2
    To block anonymous DH and ECDH algorithms. It's not strictly necessary for this question, but typically you always want the server to be authenticated to avoid MITM attacks. – Andrew Domaszek Oct 03 '16 at 21:56