On Mon, Dec 23, 2024 at 10:50:49AM +1100, Viktor Dukhovni via Postfix-users
wrote:
> On Sun, Dec 22, 2024 at 02:31:56PM +0000, Laura Smith via Postfix-users wrote:
>
> > > Note that after the above you're allowing TLS 1.0 by default, where you
> > > insisted on TLS 1.2 or higher before. Postfix parsing of the legacy
> > > protocol negations has not changed. But you should be using the
> > > preferred min/max forms.
> >
> > I know you're saying nothing changed, but I'm telling you:
> >
> > openssl s_client -connect hostname:25 -starttls smtp
> >
> > Failed with the above error "before" and connects as expected "after"
> > the changes outlined.
>
> And, FWIW, I'm telling you that nothing has changed on the Postfix side.
> So if you saw an effect, it was for some other reason.
$ postconf mail_version smtpd_tls_protocols
mail_version = 3.10-20241202
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
$ fp=F4D9CF3B4E251085A4F3193DAAF3A5141CD95C7109D33C971C3F8F7CEC48CD1B
$ posttls-finger -c -dsha256 -lfingerprint -Lsummary "[127.0.0.1]" "$fp"
posttls-finger: Verified TLS connection established to
127.0.0.1[127.0.0.1]:25:
TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange MLKEM768
server-signature RSA-PSS (2048 bits)
server-digest SHA256
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
