The Fedora crypto policies apply to both servers and clients. Your
client doing the tests is almost certainly using the default SECLEVEL=2,
which disables TLSv1 and TLSv1.1. If you configure the client to also
allow these protocols, the test will work as expected. The problem is
not on the Postfix end.
hm. my understanding of the
https://www.checktls.com/
'client' (not mine, online/hosted) was that spec'ing the "SSL Version"
explicitly as TLS 1.1 does allow exactly that.
perhaps a bad assumption :-/
i'll test with my own client ...
Note that Postfix ">=TLS..." syntax explicitly sets the minimum protocol
level, overriding any config file defaults (including crypto policy).
i did not understand that to be the case.
tho I *do* have
smtp_tls_protocols = >=TLSv1.1, <=TLSv1.3
smtpd_tls_protocols = >=TLSv1.1, <=TLSv1.3
v1.1 is not allowed in this test, whereas v1.2+ is.
seems like pebkac.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
