Debian 10 postfix TLSv1.3

Hi,
I have a running ISPconfig 3.2 on Debian 10.
Mail with postfix 3.4.14 with open SLL 1.1.1.d is only working with TSLv1.2.
I tried to get it working on TSLv1.3.....but with no succes.

What will I do to get this working with TLS v.1.3?

Code:

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_dh1024_param_file = /etc/ssl/private/ffdhe4096.pem
tls_medium_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-RSA-AES256-SHA384

 

Add its tls cipher in your cipherlist I think.

 

Hi, thanks for the information.

I ad the TLSv1.3 ciphers in the cipherlist.
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
and restart postfix.
But no succes with mail TLSv1.3, only TLSv1.2 is working

 

grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
openssl ciphers -v | grep 1.3

 

Hi,

with "openssl ciphers -v | grep 1.3" I get the same chippers that I used in my earlier post.
with "grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn" I get an error
grep: maillog: File or directory does not exist

Still no TLSv1.3

 

Do cd first to the directory where maillog resides, or put full pathname to file instead of just maillog. And check the filename is maillog, and not something close to that. Maybe it is /var/log/mail.log ?

 

Hi,
output from the mail.log.
15 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
but no TLSv1.3
Maybe has someone a copy from postfix main.cf that has a working TLSv1.3?
(my website (Apache server) works fine with TLSv1.3)

 

I checked with google but can't find the answer. Probably not
But what to do about it? update postfix or open SSL ? What is the best way

 

Exactly that.
But one idea, as I do on my EL systems, could be to create updated packages of Postfix and OpenSSL by yourself.

When doing so, one has to make sure that such an OpenSSL package has different naming and is installed in a different location than the standard OpenSSL package of the Linux distribution, so that one does not overwrite it. After that, you can modify the postfix control/spec file to link against your own OpenSSL package at build time.

However, something that is bugging me is why Debian 10 Postfix doesn't come with enabled TLS 1.3 support?!
The OpenSSL version actually cannot be the reason since 1.1.1d like the whole 1.1.1 branch comes with TLS 1.3.
So, was TLS 1.3 disabled by Debian 10 maintainers for Postfix or was it an accident by the OP because he wrote that he is running Debian 10 but is actually running Debian 8 or 9 or something else instead?

 

That is why following FAQ thread is always important to troubleshoot and raise support question / issue because we also do not know for sure what is the real OS version they are using except for what they have represented us with.

 

Hi, thanks for all the information.
I think the best way is upgrading from Debian 10 to Debian 11.
When I follow this link for upgrading https://www.howtoforge.com/how-to-upgrade-from-debian-10-to-debian-11/
How to stop all running applications services with one command?

• Stop all running application services including, Apache, FTP, and others.

 

Debian has upgrade instructions in the release notes. They are rather long, but thorough. I would not do release upgrades following some random instructions found on the Interwebs.
https://www.debian.org/releases/stable/releasenotes
Those upgrade instructions from the Debian Project itself do not instruct to stop services.