Hi,
I am currently configuring an e-mail server with OpenSMTPD. While it is
2023, I am aware of the fact that some remote mail servers will support
insecure TLS protocols or fall back to plaintext. Because of that, I
want to advertise legacy TLS support (TLSv1.0 and up), for port 25 while
keeping modern TLS versions (TLSv1.2-1.3), for submission.
An excerpt of my current config is:
/etc/mail/smtpd.conf
. . .
listen on lo0 port 25 tls pki my.server.com protocols "all"
listen on lo0 port 587 tls-require pki my.server.com protocols
"secure" auth <virtual_creds>
The strings I have used ("all", "secure") come from: man 3
tls_config_parse_protocols, which is referenced in: man smtpd.conf under
the "protocols" keyword.
A quick syntax check:
$ doas smtpd -n
... shows no issues.
When I test this via:
openssl s_client -connect 127.0.0.1:25 -starttls smtp -tls1
... I cannot conduct a regular interactive SMTP transaction - the
connection is established and then drops before I can: EHLO example.com
and so on.
Am I specifying this correctly ? I tried enclosing "all" and "secure"
in double quotes, but testing with: openssl does not seem to work when
explicitly specifying TLSv1.0, TLSv1.1. It seems that OpenSMTPD is only
happy if the connection is TLSv1.2 or TLSv1.3.
Thanks,
-J
