From faa7f3fa6629b4f43bc9b6e9f0be59e2f93ac2ca Mon Sep 17 00:00:00 2001
From: Donald Brown <me@noreallyitis.me>
Date: Tue, 21 Aug 2018 08:50:54 -0600
Subject: [PATCH] Make postfix compliant. Information from:
 https://serverfault.com/questions/803920/postfix-configure-to-use-tlsv1-2

---
 security.md           | 2 +-
 setup/mail-postfix.sh | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security.md b/security.md
index 5a797673..8da6ac8b 100644
--- a/security.md
+++ b/security.md
@@ -39,7 +39,7 @@ These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_La
 The services all follow these rules:
 
 * TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
-* Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered).
+* Only TLSv1.1 and TLSv1.2 are offered (the older SSL protocols and non-compliant TLSv1 are not offered).
 * HTTPS, IMAP, and POP track the [Mozilla Intermediate Ciphers Recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS), balancing security with supporting a wide range of mail clients. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy. For more details, see the [output of SSLyze for these ports](tests/tls_results.txt).
 * SMTP (port 25) uses the Postfix medium grade ciphers and SMTP Submission (port 587) uses the Postfix high grade ciphers ([more info](http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers)).
 
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index ca52edbd..efe84e47 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -98,7 +98,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 	  -o syslog_name=postfix/submission
 	  -o smtpd_milters=inet:127.0.0.1:8891
 	  -o smtpd_tls_security_level=encrypt
-	  -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+	  -o smtpd_tls_ciphers=high -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
 	  -o cleanup_service_name=authclean" \
 	"authclean=unix  n       -       -       -       0       cleanup
 	  -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters
@@ -124,7 +124,7 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
 	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
-	smtpd_tls_protocols=\!SSLv2,\!SSLv3 \
+	smtpd_tls_protocols=\!SSLv2,\!SSLv3,\!TLSv1 \
 	smtpd_tls_ciphers=medium \
 	smtpd_tls_exclude_ciphers=aNULL,RC4 \
 	smtpd_tls_received_header=yes
@@ -161,8 +161,8 @@ tools/editconf.py /etc/postfix/main.cf \
 # even if we don't know if it's to the right party, than to not encrypt at all. Instead we'll
 # now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
 tools/editconf.py /etc/postfix/main.cf \
-	smtp_tls_protocols=\!SSLv2,\!SSLv3 \
-	smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3 \
+	smtp_tls_protocols=\!SSLv2,\!SSLv3,\!TLSv1 \
+	smtp_tls_mandatory_protocols=\!SSLv2,\!SSLv3,\!TLSv1 \
 	smtp_tls_ciphers=medium \
 	smtp_tls_exclude_ciphers=aNULL,RC4 \
 	smtp_tls_security_level=dane \