> On Mar 29, 2018, at 3:26 PM, J Doe <gene...@nativemethods.com> wrote:
>
> Ok, I have to say I feel pretty pleased with myself - I found a solution
> roughly around when your e-mail came it, so I tried my solution first and it
> worked!
>
> I ran nmap against the server to enumerate the TLS versions in use and the
> output noted that the cipher preference was set to “client”. Googling for
> server preference in Postfix brought me to the Postfix web page on TLS [1]
> which mentioned the “mandatory” set of settings. I then edited the list I
> sent in my previous e-mail, restarted Postfix and ran the nmap enumeration
> again and it now supports only TLS 1.2.
>
> Your e-mail confirms my results - thank you.
Note that the cipher settings (and whether the client's or server's
list is used to rank ciphers) don't affect protocol version selection.
The highest shared protocol version is selected first, and only
then a suitable shared cipher.
Therefore, if it works now, it is likely because you ran "postfix reload",
or because changes in main.cf are seen by each smtpd(8) process at startup,
but changes in master.cf require a reload to take effect.
--
Viktor.
