Re: TLS1.3 only

2018-07-14 Thread A. Schulze 
Am 13.07.2018 um 02:43 schrieb Viktor Dukhovni:
> That is, you'd need to use "smtpd_tls_mandatory_protocols", assuming
> that for the subission service you also have:
> 
>   -o smtpd_tls_security_level=encrypt


Hello,

like assumed it was my mistake.

yes, on the submission port I do have "-o smtpd_tls_security_level=encrypt"
and if I set "-o 
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2"
I really could connect *only* using TLS1.3.

-> everything works like documented :-)

Thanks Viktor!
Andreas

Re: TLS1.3 only

2018-07-12 Thread Viktor Dukhovni 
On Thu, Jul 12, 2018 at 04:39:20PM -0400, Wietse Venema wrote:

> > For fun I tried to disable all TLS protocol versions other then TLS1.3
> > 
> > master.cf:
> >   submission.local inet n - - - - smtpd
> >-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
> 
> That setting is ONLY in effect with 'smtpd_tls_security_level = may'.

That is, you'd need to use "smtpd_tls_mandatory_protocols", assuming
that for the subission service you also have:

  -o smtpd_tls_security_level=encrypt

> > but I'm still able to connect using TLS1.2
> 
> Insufficient information.

The most likely explanation based on the minimal description is
that you have mandatory TLS.

-- 
Viktor.

Re: TLS1.3 only

2018-07-12 Thread A. Schulze 



Am 12.07.2018 um 22:39 schrieb Wietse Venema:
> A. Schulze:
>> Hello,
>>
>> postfix-3.3.1 + openssl-1.1.1pre8
>>
>> For fun I tried to disable all TLS protocol versions other then TLS1.3
>>
>> master.cf:
>>   submission.local inet n - - - - smtpd
>>-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
> 
> That setting is ONLY in effect with 'smtpd_tls_security_level = may'.
> 
>> but I'm still able to connect using TLS1.2
> 
> Insufficient information.
> 
>   Wietse
> 

ok, will simply my setup to provide more settings ( maybe it's also my fault, 
we'll see )
but not today, it's late here ...

Andreas

Re: TLS1.3 only

2018-07-12 Thread Wietse Venema 
A. Schulze:
> Hello,
> 
> postfix-3.3.1 + openssl-1.1.1pre8
> 
> For fun I tried to disable all TLS protocol versions other then TLS1.3
> 
> master.cf:
>   submission.local inet n - - - - smtpd
>-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2

That setting is ONLY in effect with 'smtpd_tls_security_level = may'.

> but I'm still able to connect using TLS1.2

Insufficient information.

Wietse