Virtually all my TLSv1 connections come from this mailing list...
Would there be any mileage in disabling OUTBOUND TLSv1 connections while
accepting inbound for a little while longer?
Allen C
On 05/03/2020 20:08, ratatouille wrote:
> Hello!
>
> Don't know why TLSv1 is still offered on our servers running
>
> mail_version = 2.11.3
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
>
> but a scan by ssllabs.com or with testssl.sh shows TLSv1 is still supported.
>
> I am not sure what's wrong. What do I miss?
>
> Other parameters I set:
> smtpd_tls_CApath = /var/lib/ca-certificates/pem
> smtpd_tls_ask_ccert = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/live/bitcorner.de/fullchain.pem
> smtpd_tls_ciphers = high
> smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, secp224r1,
> ECDHE-RSA-DES-CBC3-SHA
> smtpd_tls_key_file = /etc/letsencrypt/live/bitcorner.de/privkey.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> btree:/var/lib/postfix/smtpd_tls_session_cache
> smtpd_tls_session_cache_timeout = 3600s
>
> Regards
>
> Andreas
>
