Please enable option to choose TLS min versions

Comments (16)

1. 

   Scott MacDonald

   Just FYI that the update to TLS 1.2 as minimal version was identified in the changelog. I don’t disagree that it maybe best served by being a configurable option, however, being that it was identified one could conclude that before upgrading your Poste.io version on the server that all clients would first be compatible.

   As an option to restore compatibility you can easily roll back to the previous Poste.io version without to much difficulty.

   • 2019-11-21T01:15:49+00:00
2. 

   Kai Kauper reporter

   @SH what is your opinion about this?

   • 2019-11-21T08:32:17+00:00
3. 

   Alexander

   I’m with Kai: It' would be great to be able to select the TLS versions offered. The reason is simple: You can’t force users to update their OS Systems (Kai points out some very good reasons why) and not to be able to upgrade poste.io just because of the TLS issue is not an option.

   • 2019-11-21T10:36:36+00:00
4. 

   Kai Kauper reporter

   Thanks Alexander. When considering that you are a Pro user of poste.io and surely want to use many more features of newer versions, besides more security through a new minimum TLS version, it should definitely be possible to change this manually.

   • 2019-11-21T10:52:47+00:00
5. 

   Foddy

   I tried to replace the dovecot SSL config file in /etc/dovecot/conf.d/10-ssl.conf with the contents of the old version 2.1.11 with the following contents (I used the _override folder to replace this file inside the container):

   ssl = required
   ssl_cert = </etc/ssl/server-combined.crt
   ssl_key = </etc/ssl/server.key
   ssl_dh=</etc/ssl/dh4096.pem
   
   ssl_min_protocol = TLSv1
   ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
   ssl_prefer_server_ciphers = no
   
   # debug
   #auth_verbose=yes
   #auth_debug=yes
   #auth_debug_passwords=yes
   #mail_debug=yes
   #verbose_ssl=yes
   #auth_verbose_passwords=plain
   

   If I run dovecot -a inside the container it seems that the new configuration is applied. Unfortunately the server is still not offering support for older TLS versions < v1.2. Is there something or some file I forgot to change?

   • 2019-11-21T10:59:34+00:00
6. 

   Alexander

   Have you tried to restart the container? you could use the /etc/dovecot/conf.d/10-ssl.conf File with the override method as described in the poste.io documentation:
   create a folder _override in your maildata directory and put your /etc/dovecot/conf.d/10-ssl.conf (also with the folders!), so it would be: <your_maildata_directory>/_override/etc/dovecot/conf.d/10-ssl.conf

   ‌

   • 2019-11-21T16:01:14+00:00
7. 

   Foddy

   Thanks. I tried that and restarted the container after those changes. If I open the file inside the container under

   /etc/dovecot/conf.d/10-ssl.conf

   it seems replaced with the file in the _override folder. Unfortunately after several times restarting Poste.io it is still not applied. Maybe there is another file I should replace?

   • 2019-11-21T17:26:20+00:00
8. 

   Kai Kauper reporter

   Hi,

   don’t get me wrong pushing this topic to the top again, but is it possible to get an answer if my request is possible to develop or not?
   As we are willing to pay for your service we also want to use the newest version of poste.

   Thanks,
   Kai

   • 2019-12-17T10:40:17+00:00
9. 

   SH repo owner

   ref #713 revert to tls min_protocol to 1.1 for haraka&dovecot

   → <<cset 504623892d1e>>

   • 2020-01-13T09:26:34+00:00
10. 

    SH repo owner

    • changed status to resolved

    fix #713 add tls options for Haraka&Dovecot at server.ini (not available through web)

    → <<cset 6b192f52e221>>

    • 2020-01-13T09:26:34+00:00
11. 

    Foddy

    Thank you very much for this. Are there any docs available for this or is this new version not published yet?

    • 2020-01-15T11:14:52+00:00
12. 

    David Andlinger

    And how can I configure the minimum TLS version in the server.ini?

    • 2020-01-22T08:33:13+00:00
13. 

    SH repo owner

    Just save settings at web UI and new section at server.ini should magicaly appear:

    ‌

    [tls]
    ; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.
    
    auth_required = 1
    inbound_min_version =
    inbound_ciphers =
    

    ‌

    • 2020-01-28T08:50:01+00:00
14. 

    R.B

    hi

    I tried to modify it to 1.1, but it didn't seem to work as 1.1.
    Do I need to restart the server?

    ‌

    [tls]
    ; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.
    
    auth_required = 1
    inbound_min_version = 1.1
    inbound_ciphers =
    

    ‌

    • 2020-01-28T15:48:00+00:00
15. 

    SH repo owner

    sorry, it seems it is not documented enough

    • valid values are TLSv1.3, TLSv1.2, TLSv1.1, or TLSv1
    • TLSv1.1 is default at latest version
    • yes for any change at server.ini you should restart container

    ‌

    • 2020-01-29T07:58:32+00:00
16. 

    R.B

    Hello there
    I have modified the version information and restarted the container, but detected that version 1.1 is still not supported,

    Is my operation correct?

    ‌

    [tls]
    ; Custom settings for TLS (only Dovecot and Haraka). Be warned, mailserver can stop working with invalid settings.

    auth_required = 1
    inbound_min_version = TLSv1.1
    inbound_ciphers =

    • 2020-01-29T09:05:38+00:00
17. Log in to comment