On Thu, Mar 05, 2020 at 09:08:43PM +0100, ratatouille wrote:
> Don't know why TLSv1 is still offered on our servers running
Probably because you're not changing the configuration in the right
place. Double-check that you're configuring the correct Postfix
instance (if using multiple instances) and that there are no
master.cf overrides that trump the main.cf settings.
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
It is not yet a good idea to disable TLSv1 in SMTP. But if you must
degrade[1] your SMTP security for some clients to make sure that all the
check boxes come out green, then the above should be enough, provided it
is set in the right place. I can confirm that bitclusive.de still
supports TLSv1:
$ posttls-finger -c -Lsummary -p TLSv1 bitclusive.de
posttls-finger: Verified TLS connection established to
smtp.bitclusive.de[2a03:4000:33:430:d423:c2ff:fe3d:b540]:25: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
$ posttls-finger -c -Lsummary -o inet_protocols=ipv4 -p TLSv1 bitclusive.de
posttls-finger: Verified TLS connection established to
smtp.bitclusive.de[92.60.38.182]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA
(256/256 bits)
Other than test TLS connections, do you still legitimate inbound email
in your logs (looking over a week or more of logs) delivered with TLSv1?
If not, then perhaps disabling TLSv1 will be harmless, but if you do,
perhaps prod the senders to upgrade first, before you prevent them
from establishing TLS connections to your MTA.
--
Viktor.
[1] Some clients forced to send in clear text, because they don't do
TLSv1.2.
