Hi Viktor > On Mar 29, 2018, at 3:15 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > > >> On Mar 29, 2018, at 2:56 PM, J Doe <gene...@nativemethods.com> wrote: >> >> I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d >> clients on the submission service. >> >> In master.cf I have added the following to the submission service: >> >> -o smtpd_tls_ciphers=high >> -o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM >> -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2 > > Given that TLS is typically mandatory for submission (you should have > "-o smtpd_tls_security_level=encrypt" already set), it simpler to just > set "smtpd_tls_mandatory_protocols" in main.cf. The recommended syntax > is to just eliminate the negative, but not accentuate the positive: > > smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > > If TLS 1.3 happens someday to be supported by both ends, no need to > preclude its use at that time. > >> …however, when I test via the OpenSSL client: >> >> openssl s_client -connect example.com:587 -starttls smtp -tls1 >> >> …it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS >> 1.2 on successive tests. >> >> What am I doing wrong ? > > Perhaps a missing "postfix reload" or some syntax issue with master.cf.
Thanks for your reply. Ok, I have to say I feel pretty pleased with myself - I found a solution roughly around when your e-mail came it, so I tried my solution first and it worked! I ran nmap against the server to enumerate the TLS versions in use and the output noted that the cipher preference was set to “client”. Googling for server preference in Postfix brought me to the Postfix web page on TLS [1] which mentioned the “mandatory” set of settings. I then edited the list I sent in my previous e-mail, restarted Postfix and ran the nmap enumeration again and it now supports only TLS 1.2. Your e-mail confirms my results - thank you. - J Sources: [1] http://www.postfix.org/TLS_README.html#server_cipher
