The Fedora crypto policies apply to both servers and clients. Your client doing the tests is almost certainly using the default SECLEVEL=2, which disables TLSv1 and TLSv1.1. If you configure the client to also allow these protocols, the test will work as expected. The problem is not on the Postfix end.
hm. my understanding of the https://www.checktls.com/ 'client' (not mine, online/hosted) was that spec'ing the "SSL Version" explicitly as TLS 1.1 does allow exactly that. perhaps a bad assumption :-/ i'll test with my own client ...
Note that Postfix ">=TLS..." syntax explicitly sets the minimum protocol level, overriding any config file defaults (including crypto policy).
i did not understand that to be the case. tho I *do* have smtp_tls_protocols = >=TLSv1.1, <=TLSv1.3 smtpd_tls_protocols = >=TLSv1.1, <=TLSv1.3 v1.1 is not allowed in this test, whereas v1.2+ is. seems like pebkac. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org