Tag Archives: Dovecot

Protect your postfix/dovecot mail server against the DROWN attack

DROWN is vulnerability that affects HTTPS and other services that rely on SSL and TLS.
In order to protect your postfix/dovecot mail server, you should disable SSLv2.

The following lines shoud be added to the postfix configuration file (main.cf):

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_eecdh_grade = ultra

And the following lines should be added to dovecot SSL configuration file:

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_protocols = !SSLv2 !SSLv3

This also disables SSLv3 which has it’s own issues (POODLE, BEAST).

More info about the DROWN attack: https://drownattack.com