postfix virtual-server/copycert-lib.pl restrict to tlsV1 preventing tls1.1 and 1.2 clients to connect [#52660]

Submitted by gadnet@aqueos.com on Thu, 06/29/2017 - 04:57

hi,

When

virtual-server/copycert-lib.pl copy the config of certs it restrict the tls protocols to

virtual-server/copycert-lib.pl:&postfix::set_current_value("smtpd_tls_mandatory_protocols", "SSLv3, TLSv1");

Therefor it allow insecure sslv3 and prevent tls1.1 and tls 1.2 from connecting. I think the right default should be

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

as per recommandation it seems a better way.

best regards, Ghislain.

Status:

Closed (fixed)

Comments

Submitted by JamieCameron on Thu, 06/29/2017 - 23:10 Comment #1

Good suggestion .. I'll fix that up for the next release.

Submitted by JamieCameron on Thu, 06/29/2017 - 23:11 Comment #2

Status:

Active

» Fixed

Submitted by IssueBot on Thu, 07/13/2017 - 23:30 Comment #3

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Submitted by gadnet@aqueos.com on Thu, 09/07/2017 - 09:25 Comment #4

Another thing, your script do not set the cipher lists ( in high/medium/low setting list) but the same process modify the tls cipher list used by postfix to

smtpd_tls_mandatory_ciphers = high

here we use the mozilla TLS advice for low medium high, when you force to high the smtp lots of email clients stop working. You should not modify this setting as you do not set or permit to set the value of the hig/low/medium cipher lists :)

Could you remove this also ? or make it more configurable ?

regards, Ghislain.

Submitted by gadnet@aqueos.com on Thu, 09/07/2017 - 07:02 Comment #5

Status:

Closed (fixed)

» Needs work

Submitted by JamieCameron on Sat, 09/09/2017 - 13:24 Comment #6

Maybe it's best to stop setting smtpd_tls_mandatory_ciphers entirely? Which mail clients does this break?

Submitted by gadnet@aqueos.com on Thu, 10/05/2017 - 04:03 Comment #7

the clients are iphone and mac mail client as far as i have been contacted.

Per the mozilla recommanded TLS setting the high(modern) is not supported by mac OS and IOS email clients. So yes , as you do not set the list of ciphers, changing the smtpd_tls_mandatory_ciphers is perhaps not a good idea :)

best regards, Ghislain.

Submitted by JamieCameron on Thu, 10/05/2017 - 23:55 Comment #8

Ok, we will do that

Submitted by gadnet@aqueos.com on Fri, 10/06/2017 - 10:50 Comment #9

thanks a lot for following this :)

Submitted by IssueBot on Thu, 10/11/2018 - 20:07 Comment #10

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.