Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5, 6, and 7
  • Postfix
  • Dovecot

Issue

  • How to disable SSL 3.0 and other weak protocols in Postfix and Dovecot

Resolution

Dovecot

  • Red Hat Enterprise Linux 7 (dovecot-2.2.x)

To disable SSL 3.0 and SSL 2.0 in Dovecot on Red Hat Enterprise Linux 7, add the following line to the /etc/dovecot/conf.d/10-ssl.conf file

ssl_protocols = !SSLv2 !SSLv3

You must restart (not only reload) the dovecot service for this change to take effect using systemctl restart dovecot.service.

  • Red Hat Enterprise Linux 6 (dovecot-2.0.x), Red Hat Enterprise Linux 5 (dovecot-1.0.x)

Dovecot as included in Red Hat Enterprise Linux 5 and 6 does not support the disabling of arbitrary SSL protocols; only Dovecot version 2.1 and later support this functionality. In order to disable SSL 3.0, you must recompile the dovecot package without SSL 3.0 support. Support for disabling arbitrary SSL protocols may be included in Dovecot in Red Hat Enterprise Linux 5 and 6 via a future update.

Postfix

  • Red Hat Enterprise Linux 6 (postfix-2.6.x), Red Hat Enterprise Linux 7 (postfix-2.10.x)

To disable SSL 3.0 and SSL 2.0 in Postfix on Red Hat Enterprise Linux 6 and 7, add the following lines to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3

These configuration options disable SSL 3.0 and 2.0 for both mandatory and opportunistic TLS encryption originating from both the Postfix SMTP server and the Postfix SMTP client. Note that mandatory TLS encryption must be specifically enabled with the smtpd_enforce_tls = yes configuration option for Postfix SMTP servers, and the smtp_enforce_tls = yes configuration option for Postfix SMTP clients.

Note: If you change the either of the Postfix configuration option above to include !SSLv3, your servers may fail to receive data from certain delivery agents that only support SSL 3.0.

You must restart (not only reload) the postfix service for this change to take effect using service restart postfix on Red Hat Enterprise Linux 6 and systemctl restart postfix.service on Red Hat Enterprise Linux 7.

  • Red Hat Enterprise Linux 5 (postfix-2.3.x)

To disable SSL 3.0 and SSL 2.0 in Postfix on Red Hat Enterprise Linux 5, add the following lines to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_protocols = TLSv1

These configuration options only enable TLSv1 for mandatory TLS encryption originating from both the Postfix SMTP server and the Postfix SMTP client. Note that mandatory TLS encryption must be specifically enabled with the smtpd_enforce_tls = yes configuration option for Postfix SMTP servers, and the smtp_enforce_tls = yes configuration option for Postfix SMTP clients.

Note: If you change the either of the Postfix configuration option above to only allow TLSv1, your servers may fail to receive data from certain delivery agents that only support SSL 3.0.

You must restart (not only reload) the postfix service for this change to take effect using service restart postfix.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.