Protect your postfix/dovecot mail server against the DROWN attack

DROWN is vulnerability that affects HTTPS and other services that rely on SSL and TLS.
In order to protect your postfix/dovecot mail server, you should disable SSLv2.

The following lines shoud be added to the postfix configuration file (main.cf):


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_eecdh_grade = ultra

 
And the following lines should be added to dovecot SSL configuration file:


ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_protocols = !SSLv2 !SSLv3

 
This also disables SSLv3 which has it’s own issues (POODLE, BEAST).

More info about the DROWN attack: https://drownattack.com