I'm getting ready to deploy a new SMTP server, and I'm not sure how to ensure that it is using strong encryption. The server software is Postfix running only SMTP. I've added the following to the main.cf file (stolen from here):
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = TLSv1
# Also available with Postfix ≥ 2.5:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
Restarted the daemon and everything seems to work as intended, but I'm not sure how to test that only the strong cyphers are enabled. The following allows me to connect, but I'm not sure which combination of flags (-no_ssl3, -no_tls1, etc) to use in order to ensure that only the strong encryption is enabled.
openssl s_client -starttls smtp -crlf -connect mail.mysite.com:25
You can test the individual ciphers using the
-cipher <cipherspec>option (see the OpenSSL manual for more info on this option and how to write cipher specifications).In your case you can specify a cipherspec of all the low-grade ciphers that you don't want to use, and your server should reject the attempt.
You should also test the ciphers you want to use (individually) to be sure they work.