-SSLv3 aktuell empfohlene master.cf für TLS ???

Robert Schetterer rs at sys4.de
Mo Okt 27 14:03:50 CET 2014 

Am 27.10.2014 um 13:43 schrieb Joachim Burbach:
> Ich würde ja auch gerne SSLv3 abschalten,
> aber leider bin ich mir nicht sicher was ich in meiner master.cf raus nehmen muss so dass TLS noch funktioniert.
> Oder passt das alles so noch?
> Kann mir einer helfen bitte?
> 
> ---Postfix master.cf------------------------------------------------------------
> smtp      inet  n       -       -       -       -       smtpd
> submission inet n       -       -       -       -       smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_sasl_security_options=noanonymous
>   -o smtpd_sasl_local_domain=$myhostname
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-virtual_sender.cf
>   -o smtpd_sender_restrictions=reject_sender_login_mismatch
>   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
> smtps     inet  n       -       -       -       -       smtpd
>   -o syslog_name=postfix/smtps
>   -o smtpd_tls_wrappermode=yes
>   -o broken_sasl_auth_clients=yes
> 
> pickup    fifo  n       -       -       60      1       pickup
>          -o content_filter=
>          -o receive_override_options=no_header_body_checks
> cleanup   unix  n       -       -       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       -       1000?   1       tlsmgr
> rewrite   unix  -       -       -       -       -       trivial-rewrite
> bounce    unix  -       -       -       -       0       bounce
> defer     unix  -       -       -       -       0       bounce
> trace     unix  -       -       -       -       0       bounce
> verify    unix  -       -       -       -       1       verify
> flush     unix  n       -       -       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> proxywrite unix -       -       n       -       1       proxymap
> smtp      unix  -       -       -       -       -       smtp
> relay     unix  -       -       -       -       -       smtp
> showq     unix  n       -       -       -       -       showq
> error     unix  -       -       -       -       -       error
> retry     unix  -       -       -       -       -       error
> discard   unix  -       -       -       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       -       -       -       lmtp
> anvil     unix  -       -       -       -       1       anvil
> scache    unix  -       -       -       -       1       scache
> maildrop  unix  -       n       n       -       -       pipe
>   flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
> uucp      unix  -       n       n       -       -       pipe
>   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> ifmail    unix  -       n       n       -       -       pipe
>   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp     unix  -       n       n       -       -       pipe
>   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
> scalemail-backend unix	-	n	n	-	2	pipe
>   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
> mailman   unix  -       n       n       -       -       pipe
>   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>   ${nexthop} ${user}
> 
> dovecot   unix  -       n       n       -       -       pipe
>   flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
> 
> # zusätzlicher transport ohne Filter für newsletter z.B.
> newssmtp unix - - n - 50 smtp
>         -o content_filter= 
>         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
> 
> amavis unix - - - - 4 smtp
>         -o smtp_data_done_timeout=1200
>         -o smtp_send_xforward_command=yes
>         -o disable_dns_lookups=yes
> 
> 127.0.0.1:10025 inet n - - - - smtpd
>         -o content_filter=
>         -o local_recipient_maps=
>         -o relay_recipient_maps=
>         -o smtpd_restriction_classes=
> 	-o smtpd_delay_reject=no
>         -o smtpd_client_restrictions=
>         -o smtpd_helo_restrictions=
>         -o smtpd_sender_restrictions=
>         -o smtpd_recipient_restrictions=permit_mynetworks,reject
>         -o mynetworks=127.0.0.0/8
>         -o smtpd_error_sleep_time=0
>         -o smtpd_soft_error_limit=1001
>         -o smtpd_hard_error_limit=1000
>         -o smtpd_client_connection_count_limit=0
>         -o smtpd_client_connection_rate_limit=0
>         -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
> 
> policy-spf  unix  -       n       n       -       -       spawn
>      user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
> 
> ---------------------------------------------------------------------------------------------------------------------------------------------------
> M.f.G
> JO!
> 
> 

evtl hilft das

https://sys4.de/de/blog/2014/10/21/poodle-bug-postfix-sslv3-deaktivieren/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Mehr Informationen über die Mailingliste postfix-users