1 Topic by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Topic: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? NO
- Linux/BSD distribution name and version:  Ubuntu 18.04.4 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi can you please tell me how to disable TLS 1.1 and enable TLS 1.2 and 1.3 ONLY on IMAP/IMAPs,POP3/POP3s and SMTP (587)?

Thanks in advance.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

In dovecot.conf, disable them in ssl_protocols like this:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

3 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

ZhangHuangbin wrote:

In dovecot.conf, disable them in ssl_protocols like this:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

Thank you for the above, but what about 587 / tcp / smtp

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

In /etc/postfix/main.cf:

smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

5 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

ZhangHuangbin wrote:

In /etc/postfix/main.cf:

smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

I did that, but I still see that TLSv1.1 is enabled, after service restart for both ports 25 and 587.

6 Reply by dsp3 (edited by dsp3 2020-05-18 20:02:56)

  • dsp3
  • Member
  • Offline
  • Registered: 2015-12-23
  • Posts: 104

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

Chameleon wrote:
ZhangHuangbin wrote:

In /etc/postfix/main.cf:

smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

I did that, but I still see that TLSv1.1 is enabled, after service restart for both ports 25 and 587.

smtpd_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

7 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

dsp3 wrote:
Chameleon wrote:
ZhangHuangbin wrote:

In /etc/postfix/main.cf:

smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

I did that, but I still see that TLSv1.1 is enabled, after service restart for both ports 25 and 587.

smtpd_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

Hi, I did that too, but if I scan the server with system like Nessus Security Scan, I can see this:
TLS Version 1.1 Protocol Detection
and affected ports:
587 / tcp / smtp    
25 / tcp / smtp    
8010 / tcp / www  (this is something which I don't know where it come from. Local nmap didn't show it)

I have restarted the postfix and even the server itself, but no luck.

8 Reply by PaulCahill

  • PaulCahill
  • PaulCahill
  • Member
  • Offline
  • From: Northern KY, USA
  • Registered: 2018-06-02
  • Posts: 49

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

What version of openssl do you have installed?
http://www.postfix.org/postconf.5.html# … _protocols

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be disabled, if need be, via "!TLSv1.3".

PaulCahill's Website

9 Reply by dsp3

  • dsp3
  • Member
  • Offline
  • Registered: 2015-12-23
  • Posts: 104

Re: Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1

As a side note

smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3

This can't be changed, otherwise Roundcube SMTP will fail