How to disable TLS 1.0 & TLS 1.1

[fte]

Hi @ALL,
can anybody explain me please, how to disable TLS 1.0 & TLS 1.1 for inbound Mails?
It's PMG v7.2
THX a lot
Frank

 

[Stoiko Ivanov]

See the postfix documentation on the topic:
https://www.postfix.org/TLS_README.html#server_tls
The config-switch you probably want is:
https://www.postfix.org/postconf.5.html#smtpd_tls_protocols

to adapt your postfix config in PMG you need to use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!

 

[czechsys]

Isn't tls1/1.1 disabled anyway? Because PVE7.2 is based on Deb11 and it's openssl.conf has set

MinProtocol = TLSv1.2

Hmm, it looks, postfix doesn't honor openssl configuration.

SOMEHOST:~$ openssl s_client -connect PMG:25 -tls1
CONNECTED(00000003)
140408873498256:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1674658928
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)