Disable SSLv3 an select ciphers in amavis

Mark Martinec Mark.Martinec+amavis at ijs.si
Mon Feb 15 17:30:05 CET 2016 

Marc Grooz wrote:
> is there a way to disable SSLv3 and control witch ciphers amavis use?


On 2015-03-23 09:07, Markus Benning wrote:
> The quick and dirty way is to set it in the amavisd source code. Try:
[...]
> The better way would be to add configuration options for this 
> parameters
> to amavisd and submit a patch for inclusion.
[...]
> I just had a look at the code. The attached patch should add the
> configuration parameters:
[...]
> I added a few more options which may be of intrest:
[...]
> For documentation of parameters see the IO::Socket::SSL man page.

Thanks for the suggestion. The TLS set of options was rather
neglected, I agree.

Although, the default SSL_version in IO::Socket::SSL already
has SSLv3 and SSLv2 disabled:

$ man IO::Socket::SSL
   [...]
   The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means,
   that the handshake format is compatible to SSL2.0 and higher, but
   that the successful handshake is limited to TLS1.0 and higher,
   that is no SSL2.0 or SSL3.0 because both of these versions have
   serious security issues and should not be used anymore.



To go into in 2.11.0:

- Two new configuration settings are added: %smtpd_tls_server_options
   and %smtp_tls_client_options. These two associative arrays are passed
   to IO::Socket::SSL->start_SSL when establishing a server-side or a
   client-side TLS session with an MTA, and provide more control over
   a TLS session, like providing certificates and restricting ciphers.
   See documentation of a perl module IO::Socket::SSL for a list of
   all options with their descriptions.

   Existing config options $smtpd_tls_cert_file and $smtpd_tls_key_file
   are now deprecated in favour of a more generic 
%smtpd_tls_server_options.
   Preferably set fields 'SSL_key_file' and 'SSL_cert_file' directly in
   %smtpd_tls_server_options instead. For compatibility with 2.10 the
   values of $smtpd_tls_cert_file and $smtpd_tls_key_file are fed into
   %smtpd_tls_server_options if fields 'SSL_key_file' and 'SSL_cert_file'
   are not provided.

   Example:

   %smtp_tls_client_options = (
     SSL_verifycn_scheme => 'smtp',
     SSL_version => '!SSLv2,!SSLv3',
     SSL_cipher_list => 'HIGH:!MD5:!DSS:!aNULL',
#   SSL_client_ca_file => ... ,
   );

   %smtpd_tls_server_options = (
     SSL_session_cache => 2,
     SSL_verifycn_scheme => 'smtp',
     SSL_key_file  => "$MYHOME/cert/amavisd-key.pem",
     SSL_cert_file => "$MYHOME/cert/amavisd-cert.pem",
     SSL_dh_file   => "$MYHOME/cert/amavisd-dh.dat",
   # SSL_ca_file   => ... ,
     SSL_version   => '!SSLv2,!SSLv3',
     SSL_cipher_list => 'HIGH:!MD5:!DSS:!aNULL',
   );

   Suggested by Marc Grooz and Patrick Ben Koetter, based on a patch
   by Markus Benning.


Mark

More information about the amavis-users mailing list