Hello,
I tried disabling TLSv1.0 and TLSv1.1 on our Postfix mailservers at the
beginning of the year (since there were advisories that anything older
than 1.2 is considered weak and broken), and it did not end well, there
were numerous complaints from what turned out to be still supported LTS
version of Windows 8 that is supported till 2023 whose Outlooks still
uses the obsolete versions of TLS and their handshakes will fail.
--
S pozdravem,
Daniel Ryšlink
On 05-Mar-20 21:08, ratatouille wrote:
Hello!
Don't know why TLSv1 is still offered on our servers running
mail_version = 2.11.3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
but a scan by ssllabs.com or with testssl.sh shows TLSv1 is still supported.
I am not sure what's wrong. What do I miss?
Other parameters I set:
smtpd_tls_CApath = /var/lib/ca-certificates/pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/bitcorner.de/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, secp224r1,
ECDHE-RSA-DES-CBC3-SHA
smtpd_tls_key_file = /etc/letsencrypt/live/bitcorner.de/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
Regards
Andreas
