Hi, On Thu, Dec 8, 2022 at 2:17 AM Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 07.12.22 12:28, Alex wrote: > >smtp_tls_security_level = may > >smtpd_tls_security_level = may > >smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > >smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > > so, you don't enforce TLS on a server-server communication (correct), but > you disable tlsv1 and tlsv1.1 protocols. > > This means, if you communicate with older server supporting up to TLS 1.1 > or > 1.0, communication will be unencrypted. > > This does not make much sense - tls1.0 is better than plaintext. > I think I assumed there was a vulnerability, like there is with SSLv3, that lead me to disable it. I've now changed it to just: smtpd_tls_mandatory_protocols = >=TLSv1.0 Can I also ask if it's a security risk from an information disclosure perspective to have multiple domains on the same letsencrypt cert? Each postfix instance I have configured processes mail for a number of different domains, so it's possible a user could ascertain info about those other clients by querying the cert directly. It certainly makes it easier for me to maintain the certs, but wanted to consider at what cost to privacy or the disclosure of that info.
