Yup, definitely what I need to do soon. But I don’t want to risk a cascade of dependency failures (openssl -> php -> our application, for example) on my live server when we are nowhere near ready to fully upgrade our application.
As a temporary patch until we can prepare our upgrade, I’ve made the following changes in MiaB to allow TLS1 and TLS1.1:
Edit /etc/postfix/main.cf:
Change the smtpd_tls_mandatory_protocols and smtp_tls_mandatory_protocols to:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
Comment out the mandatory_ciphers settings:
#smtpd_tls_mandatory_ciphers=high
#smtp_tls_mandatory_ciphers=high
Save and restart postfix:
sudo /etc/init.d/postfix restart
These changes will not persist after any further updates to MiaB, so it’s important to regard this as a temporary stopgap solution.