On Mon, Jul 20, 2020 at 09:51:38PM -0300, Leonardo Rodrigues wrote:
> I have already tweaked smtpd_tls_mandatory_protocols and
> smtpd_tls_protocols to "!SSLv2, !SSLv3" but TLSv1 simply doesn't work.
Postfix does not set a minimum TLS protocol version, it just disables
the versions specified with '!' prefixes in smtpd_tls_protocols.
However, your system-wide OpenSSL configuration file:
http://postfix.1071664.n5.nabble.com/problem-connecting-with-android-device-tp106848p106863.html
or a vendor change to the OpenSSL library may result a minimum protocol
version "behind Postfix's back".
> While googling for the error
>
> found a proposed patch on
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873334 to "overrides
> default TLSv1.2" ... and after applying and recompiled postfix 3.5.4,
> TLSv1 worked immediately with the config i was running (no config
> problem after all).
That's for recent Debian versions, where the system-wide openssl.cnf
file indeed configures a floor of TLSv1.2, but then Debian have also
patched their Postfix package to clear the minimum version.
If CentOS 8 requires a default floor of TLS 1.2, and have not patched
Postfix to relax that system-default constraint, then you're stuck
with TLS >= 1.2 until a suitable work-around is made available in
their Postfix package.
> So it seems we really have a TLSv1.2 minimum hardcoded anywhere. Is
> it on the postfix sources? Is it CentOS 8? Is it possible to change
> that, via config or compile options, without patching the sources?
Postfix has no such hard-coded default. It is in the system libraries
and/or configuration files.
--
VIktor.
