Hi. After update to 3.2 on first production server. On a server i need to allow TLSv1 and TLSv1.1 for Postfix some more years. Is it ok to just comment out in /etc/postfix/main.cf: EDITED, see below: Code: #tls_medium_cipherlist = .... Or more needed ? Its seems to work when testing with online SMTP tools. Code: DANE missing PFS supported Heartbleed not vulnerable Weak ciphers not found TLSv1.2 TLSv1.1 TLSv1.0 Or does someone have a better cipherlist ?
I think that's ok, I only have a cipherlist for TLSv1 and v1.1 disabled. I'm trying to modernize others
I suspect you can leave the cipherlist set, just lower the mandatory ciphers. I could be wrong though, if you need the old TLS modes, perhaps you need insecure ciphers for newer modes, too?
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit or longer symmetric bulk-encryption keys. This is the default minimum strength for mandatory TLS encryption. The underlying cipherlist is specified via the tls_medium_cipherlist configuration parameter, which you are strongly encouraged to not change. Leaving to Postfix to decide on a good cipherlist seems ok. So now i tried to comment out only: "#tls_medium_cipherlist = ...". Seems to work so far. v1 and v1.1. is active in tests: https://ssl-tools.net/mailservers
We re-added TLSv1 and TLSv1.1 for Postfix, but missed adding the needed ciphers. This causes a mismatch as it may try to connect over TLSv1 or 1.1 but doesn't get any working ciphers. Bug report has been made and this will be adressed in 3.2.1: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5839 Thanks for your info.
Yes, the cipher list must be the issue, as the TLS_README states `The default minimum cipher grade for mandatory TLS is "medium"`
