Debian 10 postfix TLSv1.3

Discussion in 'Installation/Configuration' started by Robin.k, Dec 26, 2021.

  1. Robin.k

    Robin.k Member

    Hi,
    I have a running ISPconfig 3.2 on Debian 10.
    Mail with postfix 3.4.14 with open SLL 1.1.1.d is only working with TSLv1.2.
    I tried to get it working on TSLv1.3.....but with no succes.

    What will I do to get this working with TLS v.1.3?

    Code:
    smtp_dns_support_level = dnssec
    smtp_tls_security_level = dane
    smtp_tls_loglevel = 1
    smtpd_tls_security_level = may
    smtpd_tls_auth_only = yes
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_dh1024_param_file = /etc/ssl/private/ffdhe4096.pem
    tls_medium_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-RSA-AES256-SHA384
    
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Add its tls cipher in your cipherlist I think.
     
  3. Robin.k

    Robin.k Member

    Hi, thanks for the information.

    I ad the TLSv1.3 ciphers in the cipherlist.
    TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    and restart postfix.
    But no succes with mail TLSv1.3, only TLSv1.2 is working
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
    openssl ciphers -v | grep 1.3
     
  5. Robin.k

    Robin.k Member

    Hi,

    with "openssl ciphers -v | grep 1.3" I get the same chippers that I used in my earlier post.
    with "grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn" I get an error
    grep: maillog: File or directory does not exist

    Still no TLSv1.3
     
    Last edited: Dec 27, 2021
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Do cd first to the directory where maillog resides, or put full pathname to file instead of just maillog. And check the filename is maillog, and not something close to that. Maybe it is /var/log/mail.log ?
     
  7. Robin.k

    Robin.k Member

    Hi,
    output from the mail.log.
    15 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    but no TLSv1.3
    Maybe has someone a copy from postfix main.cf that has a working TLSv1.3?
    (my website (Apache server) works fine with TLSv1.3)
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you check if the openssl version installed on your system together with that postfix version is capable of doing TLS 1.3?
     
  9. Robin.k

    Robin.k Member

    I checked with google but can't find the answer. Probably not
    But what to do about it? update postfix or open SSL ? What is the best way
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Personally, I won't update a core package like OpenSSL manually on a Linux distribution. There are chances that you get an instable system or that your system becomes unupdateable. Better upgrade your system from Debian 10 to 11 to get newer Postfix and OpenSSL.
     
    michelangelo likes this.
  11. michelangelo

    michelangelo Member

    Exactly that.
    But one idea, as I do on my EL systems, could be to create updated packages of Postfix and OpenSSL by yourself.

    When doing so, one has to make sure that such an OpenSSL package has different naming and is installed in a different location than the standard OpenSSL package of the Linux distribution, so that one does not overwrite it. After that, you can modify the postfix control/spec file to link against your own OpenSSL package at build time.

    However, something that is bugging me is why Debian 10 Postfix doesn't come with enabled TLS 1.3 support?!
    The OpenSSL version actually cannot be the reason since 1.1.1d like the whole 1.1.1 branch comes with TLS 1.3.
    So, was TLS 1.3 disabled by Debian 10 maintainers for Postfix or was it an accident by the OP because he wrote that he is running Debian 10 but is actually running Debian 8 or 9 or something else instead?
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is why following FAQ thread is always important to troubleshoot and raise support question / issue because we also do not know for sure what is the real OS version they are using except for what they have represented us with.
     
  13. Robin.k

    Robin.k Member

    Hi, thanks for all the information.
    I think the best way is upgrading from Debian 10 to Debian 11.
    When I follow this link for upgrading https://www.howtoforge.com/how-to-upgrade-from-debian-10-to-debian-11/
    How to stop all running applications services with one command?
    • Stop all running application services including, Apache, FTP, and others.
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You have to run a separate command for each service. For what it's worth, I never stop them myself, I just upgrade and let the installer restart things when it prompts to do so (though to be fair, I've never followed that specific guide offhand).
     
    till likes this.
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't stop services before the update too. It might be safer to stop them, but from my experience in the past I would say you can skip stopping them.
     
  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Debian has upgrade instructions in the release notes. They are rather long, but thorough. I would not do release upgrades following some random instructions found on the Interwebs.
    https://www.debian.org/releases/stable/releasenotes
    Those upgrade instructions from the Debian Project itself do not instruct to stop services.
     

Share This Page