On Tue, Jun 06, 2023 at 11:52:42AM -0400, PGNet Dev wrote:
> > Note that Postfix ">=TLS..." syntax explicitly sets the minimum protocol
> > level, overriding any config file defaults (including crypto policy).
>
> i did not understand that to be the case.
>
> tho I *do* have
>
> smtp_tls_protocols = >=TLSv1.1, <=TLSv1.3
> smtpd_tls_protocols = >=TLSv1.1, <=TLSv1.3
>
> v1.1 is not allowed in this test, whereas v1.2+ is.
Almost certainly on the client end. When I use a client
with TLSv1.[01] and security level 0, it negotiates TLSv1.[01]
with Postfix just fine.
For now, you only need to override the system defaults to reënable
verification of SHA1 signatures. Or if you're particularly keen to
tweak the list of supported signature algorithms, for which (unlike EC
curves and TLS 1.3 FFDHE groups) there isn't presently a Postfix
configuration knob.
It may of course be prudent to opt-out of RedHat's crypto policies
for email as a precaution, just in case they will soon add more
counter-productive (in opportunistic TLS) "hardening".
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
