TLSv1.3 does not work although it is enabled

maxileith

Hello,

I have had my Mailcow server for about three years. I have not checked since then if TLSv1.3 is actually working, I just blindly assumed it was. Unfortunately, today I had to use the SSL Labs tool to find out that TLSv1.3 is not enabled.

My question is how can I enable TLSv1.3 and how can I check this not only for nginx but also for postfix and dovecot.

Any help would be appreciated.

Attached are the configuration files for nginx.

data/conf/nginx/site.conf

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  include /etc/nginx/conf.d/server_name.active;
  if ( $request_uri ~* "%0A|%0D" ) { return 403; }
  return 301 https://$host$uri$is_args$args;
}

server_tokens off;
proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
server_names_hash_bucket_size 64;

map $http_x_forwarded_proto $client_req_scheme {
     default $scheme;
     https https;
}

include /etc/nginx/conf.d/sites.active;

data/conf/nginx/includes/site-defaults.conf


  include /etc/nginx/mime.types;
  charset utf-8;
  override_charset on;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA$
  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;

  add_header Strict-Transport-Security "max-age=15768000;";
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Referrer-Policy strict-origin;

data/conf/nginx/wwwforward.conf

server {
  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  index index.php index.html;
  client_max_body_size 0;
  root /web;
  include /etc/nginx/conf.d/listen_plain.active;
  include /etc/nginx/conf.d/listen_ssl.active;
  server_name smtp.* imap.* pop.* autoconfig.* autodiscover.*;

  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }

  location / {
    return 301 https://mail.example.org/;
  }
}

data/conf/nginx/webmail.conf

server {
  ssl_certificate /etc/ssl/mail/cert.pem;
  ssl_certificate_key /etc/ssl/mail/key.pem;
  index index.php index.html;
  client_max_body_size 0;
  root /web;
  include /etc/nginx/conf.d/listen_plain.active;
  include /etc/nginx/conf.d/listen_ssl.active;
  server_name webmail.*;

  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }

  location / {
    return 301 https://mail.example.org/SOGo;
  }
}

maxileith

When I specify the SSL Protocol in data/conf/nginx/site.conf, TLSv1.3 works fine.

However, this installation should be taken from data/conf/nginx/includes/site-defaults.conf. Any ideas?

data/conf/nginx/site.conf

server_tokens off;
proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
server_names_hash_bucket_size 64;

ssl_protocols TLSv1.2 TLSv1.3;

map $http_x_forwarded_proto $client_req_scheme {
     default $scheme;
     https https;
}

include /etc/nginx/conf.d/sites.active;

maxileith

I think i found a bug.

mailcow/mailcow-dockerized4064

diekuh

I added ssl_protocols to the site, can you verify it helps? You may need to disable and re-enable XMPP for that domain.

maxileith

diekuh TLSv1.3 now works properly. I’m glad that I could make a small contribution to such a great project.

diekuh

Thank you! Great. 🙂