Disabling TLSv1

ratatouille Thu, 05 Mar 2020 12:10:21 -0800

Hello!

Don't know why TLSv1 is still offered on our servers running


mail_version = 2.11.3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1

but a scan by ssllabs.com or with testssl.sh shows TLSv1 is still supported.

I am not sure what's wrong. What do I miss?

Other parameters I set:
smtpd_tls_CApath = /var/lib/ca-certificates/pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/bitcorner.de/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, 
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA, secp224r1, 
ECDHE-RSA-DES-CBC3-SHA
smtpd_tls_key_file = /etc/letsencrypt/live/bitcorner.de/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = 
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s

Regards

  Andreas

Disabling TLSv1

Reply via email to