Disabling TLS 1.0 and 1.1 in Postfix

Postfix is one of the most common email servers in the world due to it’s performance, easy setup and configuration. Postfix supports TLS 1.2 as of version 2.6 and TLS 1.3 in version 3.4 and later. This article will show how to remove (the less secure) TLS 1.0 and 1.1 from Postfix.

Checking you Postfix version.

You can find out what version of Postfix you are running with the following command.

$ sudo postconf -d | grep mail_version

If you Postfix is higher than version 2.6 then you can disable TLS 1.0 and 1.1 and it will use the newer TLS version. If it is not, then you really should update your version of Postfix.

Updating the configuration.

Open the postfix configuration file /usr/local/etc/postfix/main.cf (or on a Linux Distro /etc/prostfix/main.conf) and add the following lines at the end of the file (if not already there).

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Save you changes and then restart the Postfix service.

$ sudo service postfix restart

Leave a Comment

Your email address will not be published. Required fields are marked *