[SOLVED] Disabling TLS 1.0 and 1.1

[sherminator]

Hi there,

we are trying to disable TLS 1.0 and 1.1 for our PMG/Postfix. Therefore we put smtpd_tls_mandatory_protocols = >=TLSv1.2 to our /etc/pmg/templates/main.cf.in and commit the change via pmgconfig sync --restart 1.

Then we tested it from another machine with openssl s_client -connect ourpmg.example.com:25 -tls1 -starttls smtp, and unfortunately -tls1 and -tls1_1 still responds with Secure Renegotiation IS supported. Our expectation is that only -tls1_2 works. Did we miss something? Are we testing wrong?

Thanks and greets!

 

[sherminator]

Proxmox support, excellent as always, has solved the problem: We don't have to use smtpd_tls_mandatory_protocols. but smtpd_tls_protocols, then it works as desired.

 

[mira]

To clarify, if no domain override is set [0], then PMG uses opportunistic TLS. To configure the protocols for opportunistic TLS you have to use smtpd_tls_protocols [1].
If you add a domain override and make it mandatory, then smtpd_tls_mandatory_protocols is used instead.


[0] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_tls
[1] http://www.postfix.org/postconf.5.html#smtpd_tls_protocols