Disabling TLS 1.0 and 1.1 in Dovecot

If you have users accessing mail on your system, then you probably have Dovecot running. It is one of the best POP and IMAP servers (IMHO). It is easy to configure and get setup but also have some very advanced features if needed.

Over the years new encryption protocols come out and old ones no longer become safe to run. TLS version 1.0 and 1.1 are no longer safe to user as they contain known exploits. If you are installing a new version of Dovecot from scratch, then by default you will already have THS 1.0 and TLS 1.1 disabled. This article is for this (like me) that have been running Dovecot for a while and would like to make sure that TLS 1.0 and 1.1 are disabled.

Editing the Dovecot SSL config file.

The Dovecot config files are located in /usr/local/etc/dovecot/conf.d (or /etc/dovecot/conf.d if you are on a Linux distro). The file you want to edit is 10-ssl.conf

Check your Dovecot version. For current Dovecot versions, add the following line at the end of the config file (if the line is not already in the config)

ssl_min_protocol = TLSv1.2

For Dovecot versions older than 2.3 add the following line (if not already in the config)

ssl_protocols = TLSv1.2

Save the changes and then restart the Dovecot service.

$ sodo service dovecot restart

Leave a Comment

Your email address will not be published. Required fields are marked *