Hi, I recently ran testssl.sh (https://github.com/drwetter/testssl.sh) on my mail server, and it's still showing TLS 1 and 1.1 still being offered, as well as DES:
Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok) Triple DES Ciphers / IDEA offered Obsoleted CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing server's cipher preferences Has server cipher order? no (NOT ok) Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) (limited sense as client will pick) What are the proper crypto settings for the safest configuration? Here's what I currently have: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_loglevel = 1 smtp_tls_exclude_ciphers = 3DES smtpd_tls_security_level = may smtp_tls_security_level = may smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 tls_ssl_options = NO_COMPRESSION smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers=high tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA smtpd_tls_auth_only = yes smtpd_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes smtpd_tls_ask_ccert = yes smtpd_tls_req_ccert = no smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1
