Hi,
i think this has something todo with smtpd_tls_fingerprint_digest:
smtpd_tls_fingerprint_digest = ${{$compatibility_level} <level {3.6} ? {md5} :
{sha256}}
since you have 3.5 its using md5, try to set this value to sha256
best regards
Matthias
Von: "Taco de Wolff via Postfix-users" <postfix-users@postfix.org>
An: "postfix-users" <postfix-users@postfix.org>
Gesendet: Montag, 22. Januar 2024 15:44:40
Betreff: [pfx] Enabling TLS1.3 and allow sending over SMTPS/465
Hi,
Two questions really, one is that I can't enable TLS1.3 whatever I try. Running
CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm that TLS1.3
ciphers are available:
# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
# postconf -T compile-version
OpenSSL 1.1.1k FIPS 25 Mar 2021
# postconf -T run-version
OpenSSL 1.1.1k FIPS 25 Mar 2021
# openssl ciphers -v
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
etc.
Relevant configuration for port 465 (implicit TLS):
# postconf
smtpd_tls_cert_file = /path/to/crt
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = /path/to/key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
tls_medium_cipherlist =
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
smtpd_tls_security_level = encrypt
smtpd_tls_wrappermode = yes
Trying to connect using TLS1.3 on a client that supports both TLS1.3
ciphersuites, I get:
$ openssl s_client -connect server.hostname:465 -tls1_3
Connecting to [IPADDRESS]
CONNECTED(00000003)
40879BE5F97F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:861:SSL alert number 70
Has this something to do with FIPS mode? I don't think so because the ciphers
show up in OpenSSL. Why is TLS1.3 not getting enabled?
Second question came up while fixing a blocked outbound port 25 with my ISP.
I've noticed that mail gets sent to DANE enabled servers, I suppose because it
uses port 587 using STARTTLS. I wonder if postfix allows sending mail over the
recommended implicit TLS port 465 between mail servers? The documentation isn't
very clear on the distinction between (implicit) TLS and STARTTLS, but setting
smtp_tls_wrappermode=yes would force using implicit TLS (right?), while I want
to use opportunistic implicit TLS (with fallback to STARTTLS, it's better than
nothing) which can be enforced by DANE enabled servers.
Kind regards,
Taco de Wolff
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
