Re: Disabling TLSv1

Thu, 05 Mar 2020 15:59:29 -0800 


> On 5 March 2020, at 15:26, ratatouille <ratatoui...@bitclusive.de> wrote:
> 
> Viktor Dukhovni <postfix-us...@dukhovni.org> schrieb am 05.03.20 um 16:44:14 
> Uhr:
> 
>> On Thu, Mar 05, 2020 at 09:08:43PM +0100, ratatouille wrote:
>> 
>>> Don't know why TLSv1 is still offered on our servers running  
>> 
>> Probably because you're not changing the configuration in the right
>> place.  Double-check that you're configuring the correct Postfix
>> instance (if using multiple instances) and that there are no
>> master.cf overrides that trump the main.cf settings.
>> 
>>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
>>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1  
> 
> Found out if I want to disable TLSv1.1 too I just have to do so.
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> and suddenly it works ;)
> 
>> Other than test TLS connections, do you still legitimate inbound email
>> in your logs (looking over a week or more of logs) delivered with TLSv1?
> 
> I have just too TLSv1 connections this month:
> ...
> 11 TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)
>  9 TLSv1.2 with cipher CAMELLIA256-SHA (256/256 bits)
>  9 TLSv1.2 with cipher CAMELLIA128-SHA (128/128 bits)
>  9 TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
>  8 TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
>  8 TLSv1.1 with cipher AES256-SHA (256/256 bits)
>  8 TLSv1.1 with cipher AES128-SHA (128/128 bits)
>  7 TLSv1.1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
>  7 TLSv1.1 with cipher DHE-RSA-CAMELLIA128-SHA (128/128 bits)
>  7 TLSv1.1 with cipher DHE-RSA-AES128-SHA (128/128 bits)
>  7 TLSv1.1 with cipher CAMELLIA256-SHA (256/256 bits)
>  7 TLSv1.1 with cipher CAMELLIA128-SHA (128/128 bits)
>  4 TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA (112/168 bits)
>  2 TLSv1.2 with cipher DES-CBC3-SHA (112/168 bits)
>  1 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>  1 TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)

Small mail server with 3 weeks of logs:

   1761 TLSv1
     18 TLSv1.1
  20414 TLSv1.2
   6343 TLSv1.3
      0 SSL

That's not what I expected.  I thought v1 and v1.1 would be reversed.  There is 
a complete spectrum of ciphers being used with v1 including some of the most 
recent.  I am using the defaults for the protocols and ciphers.

-- Doug
>

Reply via email to