Hi, Now I am sure, that's why I post this. After an upgrade from ISPconfig and answering all questions with the default option, the main.cf in /etc/postfix will be overwritten (because of reconfigure all services is: yes). For normal basic use this is okay, but the config isn't secure enough. I adapted all my main.cf files with more security, so that I am compliant to the test which I do on "Internet.nl". See the difference for your own, with one off your mail-domains, after the test on "Internet.nl". The changes I made are this (first is default and removed, second is adapted and added): < smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 < smtpd_tls_protocols = !SSLv2,!SSLv3 < smtp_tls_protocols = !SSLv2,!SSLv3 --- > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtpd_tls_protocols = >=TLSv1.2 > smtp_tls_protocols = >=TLSv1.2 --- < tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA --- > tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-CHACHA20-POLY1305 Maybe this can be the default in the future? Greetings, Bert
I don't think so. Too many systems would fail then. You underestimate how many old mail clients are out there, e.g., the ones built into devices like scanners. And the default setup is secure enough. If you don't like it, change it and create a custom override config for future updates. But we have to ensure that systems actually work in the real world, and this also means staying compatible with the email clients that are actually used.
Till, I understand the reason. In our case, we don't have equipment or systems which need older protocols, so that's why I made these adjustments. Thanks for the explanation.
That is exactly why the conf-custom folder exists in /usr/local/ispconfig/server. You can put your customizations there to make them ispconfig-upgrade-proof. In this case custom install (and upgrade) settings.
