From the config file in /etc/courier
TLS_PROTOCOL sets the protocol version. The possible versions are:
SSL2 - SSLv2
SSL3 - SSLv3
TLS1 - TLS1
TLS_PROTOCOL=TLSv1.2+ (This was TLSv1+, can TLSv1.2 work here?)
TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
extension, as opposed to POP3 over SSL on port 995.
TLS_STARTTLS_PROTOCOL=TLS1.2 (This was TLS1, can TLS1.2 work here?)
I’m on a roll this week, shortly after hitting a wall and posting to the forums, I figure it out.
There are two ways to achieve this.
Edit the /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl lines to the above. I’ve tested using “openssl s_client -connect mail.myserver.com:995 -tls1” and was not able to connect after making this change.
Edit the ciphers to block this: “…:!TLSv1:!TLSv1.1”
Normally you’d be able to edit this right form NodeWorx SSL (/nodeworx/ssl), but that doesn’t seem to be working right now and I’ve posted about that here:
But making the cipher change directly on the file did work.
I imagine out of the 2 above, it makes more sense to go with option 1 since you aren’t even enabling that as an option to start with, but option 2 is nice (once the bug is fixed) because it can be done through NodeWorx and not manual editing of config file.
On a roll, your on fire…
I’m sorry, it’s late here but to answer your question, yes, TLS 1 through to 1.2 should work. Certainly on centos 6.8 it does
By restricting TLS, you are effectively reducing the number of email servers which could connect/your server could connect too…
I’m not sure about centos 7 sorry, as I do not use centos 7 in production
You can set the ciphers directly from my post shown in mods, for .sh changes (sorry, it’s late and I cannot remember the term), and if you change any ciphers independently, could stop Apache/quail from restarting, due to differences
I’ll pick this up tommorow at some point if alright, when thinking clearer after a couple of beers
Hope that’s alright but your definitely on fire… kudos to you