Disable TLS 1.0 and TLS 1.1

ericafterdark

I ran the email check at https://en.internet.nl to test my mailcow configuration and the results are pretty good. Almost 100% score. I’d like to fix the remaining issues and one is with TLS.

At least one of your mail servers supports one or more TLS versions that should be phased out deliberately, because they are known to be fragile and at risk of becoming insufficiently secure.

These are: TLS 1.0 and TLS 1.1 so they should be removed or disabled.
TLS 1.2 (sufficient) and TLS 1.3 (good) are OK.

How can this be done?

esackbauer

Do you mean the web services like SOGo and mailcow UI? or SMTP?

ericafterdark

esackbauer the tool validates the MX record so Dovecot I assume?

esackbauer

No, that would be postfix (SMTP).
Dovecot is only POP3/IMAP.

According to this documentation, it should be already disabled. However you are limiting the reachability of your mailserver if you restrict it, because there are many misconfigured mail servers out there.
The configuration is enforced to TLS 1.2 if you require TLS for certain domains. If TLS is not enforced for a certain domain, it will accept any TLS version, and even falls back to unencrypted.
I wouldn’t change those settings

ericafterdark

esackbauer copy. Thanks, seems like good advice. I’ll let it be.

wreidlinger

@esackbauer thanks for your comment on this topic.
I was reading this docs article and thought TLSv1.0 and TLSv1.1 is disabled by default. But many security scanner told me v1.0 and v1.1 are still active. So I did some research and found some additional syntax for the files data/conf/postfix/extra.cf and data/conf/dovecot/extra.conf.
@esackbauer could be please guide me in the right direction and tell me if this is the correct way to disable TLSv1.0 and TLSv1.1 for Postfix and Dovecot.

Postfix (`data/conf/postfix/extra.cf``)

# For SMTPS/Submission
submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# For SMTP (via STARTTLS)
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Dovecot (data/conf/dovecot/extra.conf)

ssl_min_protocol = TLSv1.2

I’m on the mailcow version 2024-04 with a aarch64 architecture.
Many thanks for maintaining this awesome project!!

esackbauer

wreidlinger

With the June 2024 Patch (2024-06), TLS 1.0 and TLS 1.1 were also disabled for unauthenticated mail via SMTP

You have to wait until the new patch is out. Should be in some days, and you should not require to configure it manually.