RHEL 9 (and derivates) RSA-SHA1 deprecation
Anzulo1984 opened this issue · comments
https://access.redhat.com/articles/6846411?extIdCarryOver=true&sc_cid=701f2000001OH7EAAW
I suggest moveing forward and say goodbye to TLSv1 and TLSv1.1 aswell and change to more intermediate settings for postfix
I created a pull request for the changed settings
I need to think about this change, because SMTP service is used not only between our own email server and end users, but also other MTAs, if many MTAs don't support TLSv1.2/1.3, then email delivery will fail.
Dovecot / Nginx are configured to use at least TLSv1.2, because pop3/imap/https are used between our own email server and end users. It's easier to ask end users to upgrade the MUA / web browser to support TLSv1.2/1.3, but not easy to contact admins of other mail servers and force them to upgrade MTA software.
Your opinion?
My opinion is, to set this by default, users always have the possibility to downgrade to way weaker ciphers if they need to, iredmail always drops outdated distros, and should keep up with modern ciphers with the possibility to downgrade them
https://www.rfc-editor.org/rfc/rfc8996
TLSv1.1 is deprecated since March 2021, even 1.3 is available since 2018 and is supported by all IredMail supported distros
I really would suggest to upgrade security and maybe add an HowTo: Enable older TLS Protocols and ciphers for unsupported devices instead
Aswell, i didn't find a single mailserver yet which doesn't support at least TLSv1.2
hi @Anzulo1984
Latest iRedMail-1.6.3 disables TLSv1 and TLSv1.1.
Thanks for the contribution. :)