Securing Mail Server SSL/TLS
Posted: 8 Jul 2021, 23:28pm - Thursday

I have been auditing our servers security. I was trying to resolved some issues detected by tenable.io, one of the issue raised was the SWEET32. There are few, by I am not disclosing that here. :) To resolve all vulnerabilities, these are my new settings in my postfix (main.cf) :

smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA, EXP, MEDIUM, ADH, AECDH, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES
smtpd_tls_mandatory_protocols = !SSLv2 !SLv3 !TLSv1
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1

then restart postfix:

postfix stop; postfix start

that's it. it resolved my issues.