[pfx] Allow TLSv1 only for internal senders

Hi ! I setup my postfix for the clients to use only  protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 in main.cf but unfortunately i have a sender (its a printer) which is not capable for TLSv1.1 and up.. How

[pfx] Re: Allow TLSv1 only for internal senders

On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100) Gerd Hoerst via Postfix-users is rumored to have said: Hi ! I setup my postfix for the clients to use only  protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   = !SSL

[pfx] Re: Allow TLSv1 only for internal senders

If you must (not necessariy a god idea), your options are: - Multiple Posifix instances on different IP addresses. Each instance has its own main.cf and master.cf. - Single Postfix instance with different smtpd configurations in master.cf on different server IP addresses, using main.cf only for c

[pfx] Re: Allow TLSv1 only for internal senders

Hi ! I read a tutorial to harden postfix and there they trew out TLSv1 Ciao Gerd Am 18.03.2023 um 16:07 schrieb Bill Cole via Postfix-users: On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100) Gerd Hoerst via Postfix-users is rumored to have said: Hi ! I setup my postfix f

[pfx] Re: Allow TLSv1 only for internal senders

Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 in main.cf in main.cf put a # in this lines, so its default from postconf -d but unfortunately i have a sender (its a printer

[pfx] Re: Allow TLSv1 only for internal senders

Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 in main.cf in main.cf put a # in this lines, so its default from postconf -d but unfortunately i have a sender (its a printer

[pfx] Re: Allow TLSv1 only for internal senders

On Sat, Mar 18, 2023 at 07:32:18PM +0100, Gerd Hoerst via Postfix-users wrote: > I read a tutorial to harden postfix and there they trew out TLSv1 The tutorial is mostly misguided. Though in practice, TLS 1.0 is increasingly rare on the public Internet, so the damage from disabling it is fairly

[pfx] Re: Allow TLSv1 only for internal senders

Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze: > I setup my postfix for the clients to use only  protocols > TLSv1 with > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 > smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 While the former makes some sense (requi

[pfx] Re: Allow TLSv1 only for internal senders

Jaroslaw Rafa wrote in <20230318191215.gb30...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze: |> I setup my postfix for the clients to use only  protocols > TLSv1 with |> |> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 |> smtpd_tls_protocols   

[pfx] Re: Allow TLSv1 only for internal senders

Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: > I still have no problems with > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtpd_tls_protocols = $smtpd_tls_mandatory_protocols > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherl

[pfx] Re: Allow TLSv1 only for internal senders

On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote: I still have no problems with smtpd_tls_mandatory_protocols = >=TLSv1.2 This is fine, so long as you don't have a user that can't support at least TLSv1.2 that needs to use submission. smtpd_tls_protocols = $smtpd_tls_manda

[pfx] Re: Allow TLSv1 only for internal senders

On 19/03/23 02:54, Gerd Hoerst via Postfix-users wrote: I setup my postfix for the clients to use only  protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 A better way to do this is: smtpd_tls_protocols = >=TLSv1.1 smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLS

[pfx] Re: Allow TLSv1 only for internal senders

On 19/03/23 07:44, Matus UHLAR - fantomas via Postfix-users wrote: I would generally allow the printer to use port 25. Port 25 is not a submission port and should not be used as such. Keep your submission separate from your MX traffic and you will avoid a whole heap of issues down the road.

[pfx] Re: Allow TLSv1 only for internal senders

Jaroslaw Rafa wrote in <20230318203334.ga31...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: |> I still have no problems with |> |> smtpd_tls_mandatory_protocols = >=TLSv1.2 |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols |> # super

[pfx] Fwd: Re: Re: Allow TLSv1 only for internal senders

--- Forwarded from Steffen Nurpmeso --- Date: Sun, 19 Mar 2023 00:06:13 +0100 Author: Steffen Nurpmeso From: Steffen Nurpmeso To: Peter Subject: Re: [pfx] Re: Allow TLSv1 only for internal senders Message-ID: <20230318230613.c9hc0%stef...@sdaoden.eu> OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B5

[pfx] Re: Allow TLSv1 only for internal senders

Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze: > Eh, no. I do not do either. (Granted i use PayPal one, two times > a month, but my bank account is not online-enabled.) > I _never_ shopped online. This destroys local pharmacies, shops, > small (hopefully) good jobs th