for DANE, the smtp_tls_mandatory_protocols setting seems like it also needs to be set (unlike the cipher settings, this isn't documented to be in addition to the non-mandatory setting)

2016-06-12 09:08:08 -04:00 · 2016-06-12 09:08:08 -04:00 · 5f5f00af4a
parent 6b73bb5d80
commit 5f5f00af4a
1 changed files with 1 additions and 0 deletions
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -160,6 +160,7 @@ tools/editconf.py /etc/postfix/main.cf \
 # now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
 tools/editconf.py /etc/postfix/main.cf \
 	smtp_tls_protocols=\!SSLv2,\!SSLv3 \
+	smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3 \
 	smtp_tls_ciphers=medium \
 	smtp_tls_exclude_ciphers=aNULL,RC4 \
 	smtp_tls_security_level=dane \