Require TLS 1.3 on client-facing ports

I tested with -tls1_2 option of openssl s_client that TLS 1.2 connections are no longer possible on any ports except port 25. Port 25 requires at least TLS 1.2 for encrypted connections.
2026-05-18 10:28:57 +00:00 · 2024-11-09 03:54:15 +00:00
parent 2daac76574
commit 1a35cdc7a9
2 changed files with 3 additions and 1 deletions
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -209,7 +209,7 @@ ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
 ssl_dh = </usr/share/dovecot/dh.pem
-ssl_min_protocol = TLSv1.2
+ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = yes