Please enable option to choose TLS min versions
Hi,
a lot of clients are complaining that since the last update they are not able to connect with client versions like iOS 9, macOS El Capitan, … (I know, they should update, but they can’t do this due to company policies)
As we have checked with https://ssl-tools.net/mailservers on version 2.1.11. we can see that TLS 1, 1.1 and 1.2 are available. On the version 2.2.0 only TLS 1.2 is available.
We know that security is an important topic but we should be able to choose our own minimum TLS version. If you check for example gmail.com on the above named site you can see, that they do still provide TLS 1, 1.1 and 1.2.
So for now, we have to stay on the older version of poste as we have to provide a working email environment for our clients with TLS 1 and 1.1. If you could give us an option to use our prefered settings, that would be amazing and absolutely necessary.
Thanks,
Kai
Comments (16)
-
-
reporter @SH what is your opinion about this?
-
I’m with Kai: It' would be great to be able to select the TLS versions offered. The reason is simple: You can’t force users to update their OS Systems (Kai points out some very good reasons why) and not to be able to upgrade poste.io just because of the TLS issue is not an option.
-
reporter Thanks Alexander. When considering that you are a Pro user of poste.io and surely want to use many more features of newer versions, besides more security through a new minimum TLS version, it should definitely be possible to change this manually.
-
I tried to replace the dovecot SSL config file in
/etc/dovecot/conf.d/10-ssl.conf
with the contents of the old version 2.1.11 with the following contents (I used the_override
folder to replace this file inside the container):ssl = required ssl_cert = </etc/ssl/server-combined.crt ssl_key = </etc/ssl/server.key ssl_dh=</etc/ssl/dh4096.pem ssl_min_protocol = TLSv1 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA ssl_prefer_server_ciphers = no # debug #auth_verbose=yes #auth_debug=yes #auth_debug_passwords=yes #mail_debug=yes #verbose_ssl=yes #auth_verbose_passwords=plain
If I run
dovecot -a
inside the container it seems that the new configuration is applied. Unfortunately the server is still not offering support for older TLS versions < v1.2. Is there something or some file I forgot to change? -
Have you tried to restart the container? you could use the
/etc/dovecot/conf.d/10-ssl.conf
File with the override method as described in the poste.io documentation:
create a folder_override
in your maildata directory and put your/etc/dovecot/conf.d/10-ssl.conf
(also with the folders!), so it would be:<your_maildata_directory>/_override/etc/dovecot/conf.d/10-ssl.conf
-
Thanks. I tried that and restarted the container after those changes. If I open the file inside the container under
/etc/dovecot/conf.d/10-ssl.conf
it seems replaced with the file in the _override folder. Unfortunately after several times restarting Poste.io it is still not applied. Maybe there is another file I should replace?
-
reporter Hi,
don’t get me wrong pushing this topic to the top again, but is it possible to get an answer if my request is possible to develop or not?
As we are willing to pay for your service we also want to use the newest version of poste.Thanks,
Kai -
repo owner ref
#713revert to tls min_protocol to 1.1 for haraka&dovecot→ <<cset 504623892d1e>>
-
repo owner - changed status to resolved
fix
#713add tls options for Haraka&Dovecot at server.ini (not available through web)→ <<cset 6b192f52e221>>
-
Thank you very much for this. Are there any docs available for this or is this new version not published yet?
-
And how can I configure the minimum TLS version in the server.ini?
-
repo owner Just save settings at web UI and new section at server.ini should magicaly appear:
[tls] ; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings. auth_required = 1 inbound_min_version = inbound_ciphers =
-
hi
I tried to modify it to 1.1, but it didn't seem to work as 1.1.
Do I need to restart the server?
[tls] ; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings. auth_required = 1 inbound_min_version = 1.1 inbound_ciphers =
-
repo owner sorry, it seems it is not documented enough
- valid values are
TLSv1.3
,TLSv1.2
,TLSv1.1
, orTLSv1
TLSv1.1
is default at latest version- yes for any change at server.ini you should restart container
- valid values are
-
Hello there
I have modified the version information and restarted the container, but detected that version 1.1 is still not supported,Is my operation correct?
[tls]
; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.auth_required = 1
inbound_min_version = TLSv1.1
inbound_ciphers = - Log in to comment
Just FYI that the update to TLS 1.2 as minimal version was identified in the changelog. I don’t disagree that it maybe best served by being a configurable option, however, being that it was identified one could conclude that before upgrading your Poste.io version on the server that all clients would first be compatible.
As an option to restore compatibility you can easily roll back to the previous Poste.io version without to much difficulty.