On Thu, Jun 09, 2022 at 06:47:10PM +0200, Benny Pedersen wrote:
> On 2022-06-09 17:13, Linda Pagillo wrote:
> > Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours
> > of staring at the screen. Josef.. THANK YOU.
>
> >> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> tlsv1.1 is more weak then tlsv1, so keep tlsv1
No, DO NOT DO that. Creating "holes" in the supported protocol list is
NOT a good idea. Postfix 3.6 and later support and prefer setting
upper/lower bounds with "<=some-version" and ">=some-version" directives
(note, no space after "<=" or ">=").
Thus I have (default values):
$ postconf smtp{,d}_tls_{,mandatory_}protocols
smtp_tls_protocols = >=TLSv1
smtp_tls_mandatory_protocols = >=TLSv1
smtpd_tls_protocols = >=TLSv1
smtpd_tls_mandatory_protocols = >=TLSv1
See, for example:
https://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols
--
Viktorl
