1 Topic by Ize_Cubz

  • Ize_Cubz
  • Member
  • Offline
  • Registered: 2020-11-04
  • Posts: 2

Topic: How would I disable TLS 1.0 and TLS 1.1 and make TLS 1.2 preferred?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? Used the SH from Github.
- Linux/BSD distribution name and version: Ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I wanted to know how I would disable TLS 1.0 and TLS 1.1 and set TLS 1.2 as the preferred method? According to this analyzer (https://www.hardenize.com/report/voltcl … #email_tls), it says they are all there, but there is no preference. I'm not very technically inclined in this type of stuff, so if you could simplify why it is saying this somewhat so I can understand?

Thanks for any help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by pitterski

  • pitterski
  • Member
  • Offline
  • Registered: 2020-11-04
  • Posts: 16

Re: How would I disable TLS 1.0 and TLS 1.1 and make TLS 1.2 preferred?

Ize_Cubz wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? Used the SH from Github.
- Linux/BSD distribution name and version: Ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I wanted to know how I would disable TLS 1.0 and TLS 1.1 and set TLS 1.2 as the preferred method? According to this analyzer (https://www.hardenize.com/report/voltcl … #email_tls), it says they are all there, but there is no preference. I'm not very technically inclined in this type of stuff, so if you could simplify why it is saying this somewhat so I can understand?

Thanks for any help.

Check this:
/etc/postfix/main.cf

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

---
Regards
pitterski

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: How would I disable TLS 1.0 and TLS 1.1 and make TLS 1.2 preferred?

In Dovecot config file (/etc/dovecot/dovecot.conf), check "ssl_min_protocol", it's set to TLSv1.2 by default.
in iRedMail-1.3.2, TLSv1.2 is the minimal secure protocol BY DEFAULT, set in:

- Nginx (https, port 443)
- Postfix (submission, port 587)
- Dovecot (pop3/imap/managesieve, 110/143/993/995/4190)

4 Reply by Ize_Cubz

  • Ize_Cubz
  • Member
  • Offline
  • Registered: 2020-11-04
  • Posts: 2

Re: How would I disable TLS 1.0 and TLS 1.1 and make TLS 1.2 preferred?

Pitterski's method fixed one of the issues now it says:

"Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite."

Is this possible, and how would I do it?