> On Mar 29, 2018, at 2:56 PM, J Doe <gene...@nativemethods.com> wrote:
>
> I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d
> clients on the submission service.
>
> In master.cf I have added the following to the submission service:
>
> -o smtpd_tls_ciphers=high
> -o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM
> -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2
Given that TLS is typically mandatory for submission (you should have
"-o smtpd_tls_security_level=encrypt" already set), it simpler to just
set "smtpd_tls_mandatory_protocols" in main.cf. The recommended syntax
is to just eliminate the negative, but not accentuate the positive:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
If TLS 1.3 happens someday to be supported by both ends, no need to
preclude its use at that time.
> …however, when I test via the OpenSSL client:
>
> openssl s_client -connect example.com:587 -starttls smtp -tls1
>
> …it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS
> 1.2 on successive tests.
>
> What am I doing wrong ?
Perhaps a missing "postfix reload" or some syntax issue with master.cf.
--
Viktor.
