How to re-enable TLS 1.0 in MIAB

I installed the latest version of MIAB but I want to re-enable TLS 1.0 for the time being because not all the users using a new and updated email clients.
I followed this but it only allowed me to send emails and not receiving them using POP3.
Thank you all for your time.

One word … don’t.

Your users need to get into the 21st century and update their email clients.

Why sacrifice the security of everyone’s email system for a few hold outs? It is not worth it IMHO. Maybe you didn’t ask my opinion? That’s fine. Take it or leave it.

2 Likes

I know it’s not recommended and it’s bad practice and I totally agree with you, but this is what my management requested, so that’s why I am asking.
Thank you for your reply and your time.

Try this thread then:

I have no idea if it will help or not as I am completely against doing something as insecure as what your bosses are telling you to do. You did warn them of the consequences I presume?

1 Like

Yes I warned them on and on but they still want to stick to their opinion.
They say ‘A working email for all, is better than a secure email working for some people’.
Thank you for your time.

To any one that may have a problem like mine this is what worked for me to make it work on old machines using outlook 2013 on windows 7.
Edit Dovecot settings for POP3 and IMAP:
In /etc/dovecot/conf.d/10-ssl.conf:

ssl_protocols=TLSv1.2 TLSv1.1 TLSv1
ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Edit Postfix config for SMTP:
In /etc/postfix/main.cf:

smtpd_tls_ciphers=medium
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers=medium
smtp_tls_mandatory_ciphers=medium

Thank you @alento for your help and time.

1 Like

Glad you found a solution but absolutely amazed by that incredible view of security at the place you work.

1 Like

Just an heads-up here, the MIAB config scripts overwrite configuation files. So whenever you upgrade the server don’t forget to redo the changes.

Also a good idea to try and get people to update their client software so that when everyones ready you can ditch TLS1.0 for good.

1 Like

There is a very nice python script in mailinabox/tools which you may want to use. (I recommend you to test and backup first before production).

You may create a custom.sh file in your home directory with the following content as example (edit file path and content as desire).

#!/bin/bash

mailinabox/tools/editconf.py /etc/postfix/main.cf \
smtpd_tls_ciphers=medium \
smtp_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
smtpd_tls_mandatory_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
smtpd_tls_mandatory_ciphers=medium \
smtp_tls_mandatory_ciphers=medium 

Chmod to make script executable.

chmod +x custom.sh

After every update runs you can do a ./custom.sh and it will overwrite the config file with your custom settings

Disclaimer: modification is at your own risk.

1 Like

I know I was surprised too when they told me what they decided.

I am aware of that thank you for the reminder.

I will keep that in mind and test it.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.