how to fix SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) 25 / tcp / smtp CVE-2015-4000

This is short version of guide from  here (https://weakdh.org/sysadmin.html)

Generate a 2048 key using openssl

openssl dhparam -out dhparams.pem 2048

and then reconfigure postfix

Postfix SMTP

Both parameters should be set in /etc/postfix/main.cf.

Add

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA

Add

smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem

Reload configuration

sudo postfix reload

This will fix your postfix installation and your server will be PCI compliant again.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s