Em 22/07/2020 12:45, Viktor Dukhovni escreveu:
The plan is to soon not require Postfix users to go down that particular
rabbit hole. Instead Postfix will disable any TLS protocol lower/upper
bounds inherited from system policy, and apply its own, based on
whichever of:
lmtp_tls_protocols, lmtp_tls_mandatory_protocols,
smtp_tls_protocols, smtp_tls_mandatory_protocols,
smtpd_tls_protocols, smtpd_tls_mandatory_protocols,
tlsproxy_tls_protocols, tlsproxy_tls_mandatory_protocols
happens to be applicable. This should be possible with the
next patch level of the supported stable releases.
In Postfix 3.6, the built-in Postfix controls will be extended to
support setting upper/lower bounds, as a preferred alternative
to enumerating individual protocol versions to exclude.
Just as an observation, while trying to enable TLSv1 on postfix and
getting into this rabbit hole, i found that dovecot (intentionally or
not) already do not respect those system-wide restrictions. I could get
latest dovecot (built from sources, just like postfix i'm using) to
accept TLSv1 with no system changes at all. Even on DEFAULT system
policy, which do not accept TLSv1, dovecot does accept it with no
problems, if configured that way.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
