On Tue, Jun 06, 2023 at 11:52:42AM -0400, PGNet Dev wrote: > > Note that Postfix ">=TLS..." syntax explicitly sets the minimum protocol > > level, overriding any config file defaults (including crypto policy). > > i did not understand that to be the case. > > tho I *do* have > > smtp_tls_protocols = >=TLSv1.1, <=TLSv1.3 > smtpd_tls_protocols = >=TLSv1.1, <=TLSv1.3 > > v1.1 is not allowed in this test, whereas v1.2+ is.
Almost certainly on the client end. When I use a client with TLSv1.[01] and security level 0, it negotiates TLSv1.[01] with Postfix just fine. For now, you only need to override the system defaults to reënable verification of SHA1 signatures. Or if you're particularly keen to tweak the list of supported signature algorithms, for which (unlike EC curves and TLS 1.3 FFDHE groups) there isn't presently a Postfix configuration knob. It may of course be prudent to opt-out of RedHat's crypto policies for email as a precaution, just in case they will soon add more counter-productive (in opportunistic TLS) "hardening". -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org