I installed the latest version of MIAB but I want to re-enable TLS 1.0 for the time being because not all the users using a new and updated email clients.
I followed this but it only allowed me to send emails and not receiving them using POP3.
Thank you all for your time.
One word … don’t.
Your users need to get into the 21st century and update their email clients.
Why sacrifice the security of everyone’s email system for a few hold outs? It is not worth it IMHO. Maybe you didn’t ask my opinion? That’s fine. Take it or leave it.
2 Likes
I know it’s not recommended and it’s bad practice and I totally agree with you, but this is what my management requested, so that’s why I am asking.
Thank you for your reply and your time.
Try this thread then:
I have no idea if it will help or not as I am completely against doing something as insecure as what your bosses are telling you to do. You did warn them of the consequences I presume?
1 Like
Yes I warned them on and on but they still want to stick to their opinion.
They say ‘A working email for all, is better than a secure email working for some people’.
Thank you for your time.
To any one that may have a problem like mine this is what worked for me to make it work on old machines using outlook 2013 on windows 7.
Edit Dovecot settings for POP3 and IMAP:
In /etc/dovecot/conf.d/10-ssl.conf:
ssl_protocols=TLSv1.2 TLSv1.1 TLSv1
ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Edit Postfix config for SMTP:
In /etc/postfix/main.cf:
smtpd_tls_ciphers=medium
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers=medium
smtp_tls_mandatory_ciphers=medium
Thank you @alento for your help and time.
1 Like
Glad you found a solution but absolutely amazed by that incredible view of security at the place you work.
1 Like
Just an heads-up here, the MIAB config scripts overwrite configuation files. So whenever you upgrade the server don’t forget to redo the changes.
Also a good idea to try and get people to update their client software so that when everyones ready you can ditch TLS1.0 for good.
1 Like
There is a very nice python script in mailinabox/tools which you may want to use. (I recommend you to test and backup first before production).
You may create a custom.sh file in your home directory with the following content as example (edit file path and content as desire).
#!/bin/bash
mailinabox/tools/editconf.py /etc/postfix/main.cf \
smtpd_tls_ciphers=medium \
smtp_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
smtpd_tls_mandatory_ciphers=medium \
smtp_tls_mandatory_ciphers=medium
Chmod to make script executable.
chmod +x custom.sh
After every update runs you can do a ./custom.sh and it will overwrite the config file with your custom settings
Disclaimer: modification is at your own risk.
1 Like
I know I was surprised too when they told me what they decided.
I am aware of that thank you for the reminder.
I will keep that in mind and test it.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.