Postfix 3.3.1 on Centos 8 can't enable TLSv1 or TLSv1.1

ssl postfix starttls centos8

I recently migrated my main mail server to a new one, the old one had been running for almost 10 years and was the production server for around 20 domains and over 40 mailboxes.

Everything went well and the configuration is not that much different from the old one, postfix and dovecot are though more recent.

One issue I am having though is to enable at least TLSv1.1 for compatibility reasons. I am seeing in the logs many TLS related connection errors and I have a stubborn client who is using Apple Mail in El Capitain that does not support TLSv1.2.

I need to have this enabled for at least one year to give time for upgrades. Problem is no matter what I specify in the postfix main.cf it will only serve TLSv1.2 and up.

    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2, !SSLv3

and

    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtp_tls_protocols = !SSLv2, !SSLv3

but if I test with testssl.sh I always get

     Testing protocols via sockets 
    
     SSLv2      not offered (OK)
     SSLv3      not offered (OK)
     TLS 1      not offered
     TLS 1.1    not offered
     TLS 1.2    offered (OK)
     TLS 1.3    offered (OK): final

on port 25, submission or smtps. Is there anything I missed on centos8 to enable TLSv1.1?

Edit: If I specify this for the smptd

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1

Testing result is:

 Testing protocols via sockets 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    not offered
 TLS 1.3    offered (OK): final

So now it disables TLSv2? Am I doing something wrong in the config file? I know syntax changed in 3.6 but this one should work too.


@moray try setting your CentOS crypto policy to LEGACY:

update-crypto-policies --set LEGACY

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

Regarding the RedHat article this enables TLSv1.0 / TLSv1.1. After setting this just restart your postfix and your mails will be delivered.

Related

Reverse IP Lookup to Find A Records at IP Address
log4j with timestamp per log entry
How to "safely" shutdown/restart a Galera cluster?
Are web-safe colors still relevant?
Find the first file that matches a pattern using PowerShell
Interesting 'takes exactly 1 argument (2 given)' Python error
C++ priority_queue with lambda comparator error
sql set variable using COUNT
how to run Eclipse -clean on a Mac?
Ubuntu 14.04: nvidia drivers cannot be installed
Evince performance (Hint: slow)
How to get a larger root partition on Touch