postfix tlsv1 and tlsv1.1 needed

Discussion in 'ISPConfig 3 Priority Support' started by elmacus, Oct 19, 2020.

Tags:
  1. elmacus

    elmacus Active Member HowtoForge Supporter

    Hi.
    After update to 3.2 on first production server.
    On a server i need to allow TLSv1 and TLSv1.1 for Postfix some more years.
    Is it ok to just comment out in /etc/postfix/main.cf:
    EDITED, see below:
    Code:
    #tls_medium_cipherlist = ....
    Or more needed ?
    Its seems to work when testing with online SMTP tools.
    Code:
    DANE missing
    PFS supported
    Heartbleed not vulnerable
    Weak ciphers not found
    TLSv1.2
    TLSv1.1
    TLSv1.0
    
    Or does someone have a better cipherlist ?
     
    Last edited: Oct 20, 2020
    atle likes this.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think that's ok, I only have a cipherlist for TLSv1 and v1.1 disabled. I'm trying to modernize others ;)
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I suspect you can leave the cipherlist set, just lower the mandatory ciphers. I could be wrong though, if you need the old TLS modes, perhaps you need insecure ciphers for newer modes, too?
     
  4. elmacus

    elmacus Active Member HowtoForge Supporter

    http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers
    medium
    Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit or longer symmetric bulk-encryption keys. This is the default minimum strength for mandatory TLS encryption. The underlying cipherlist is specified via the tls_medium_cipherlist configuration parameter, which you are strongly encouraged to not change.

    Leaving to Postfix to decide on a good cipherlist seems ok.
    So now i tried to comment out only: "#tls_medium_cipherlist = ...".
    Seems to work so far. v1 and v1.1. is active in tests: https://ssl-tools.net/mailservers
     
    Last edited: Oct 20, 2020
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    We re-added TLSv1 and TLSv1.1 for Postfix, but missed adding the needed ciphers. This causes a mismatch as it may try to connect over TLSv1 or 1.1 but doesn't get any working ciphers.

    Bug report has been made and this will be adressed in 3.2.1: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5839

    Thanks for your info.
     
    atle and elmacus like this.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, the cipher list must be the issue, as the TLS_README states `The default minimum cipher grade for mandatory TLS is "medium"`
     

Share This Page