From the config file in /etc/courier
#NAME: TLS_PROTOCOL:0
TLS_PROTOCOL=TLSv1.2+ (This was TLSv1+, can TLSv1.2 work here?)
##NAME: TLS_STARTTLS_PROTOCOL:0
TLS_STARTTLS_PROTOCOL=TLS1.2 (This was TLS1, can TLS1.2 work here?)
I’m on a roll this week, shortly after hitting a wall and posting to the forums, I figure it out.
There are two ways to achieve this.
Edit the /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl lines to the above. I’ve tested using “openssl s_client -connect mail.myserver.com:995 -tls1” and was not able to connect after making this change.
Edit the ciphers to block this: “…:!TLSv1:!TLSv1.1”
Normally you’d be able to edit this right form NodeWorx SSL (/nodeworx/ssl), but that doesn’t seem to be working right now and I’ve posted about that here:
http://forums.interworx.com/threads/8578-NodeWorx-SSL-config-doesn-t-seem-to-match-up-for-IMAP-POP
But making the cipher change directly on the file did work.
I imagine out of the 2 above, it makes more sense to go with option 1 since you aren’t even enabling that as an option to start with, but option 2 is nice (once the bug is fixed) because it can be done through NodeWorx and not manual editing of config file.
Hi Justin
On a roll, your on fire…
I’m sorry, it’s late here but to answer your question, yes, TLS 1 through to 1.2 should work. Certainly on centos 6.8 it does
By restricting TLS, you are effectively reducing the number of email servers which could connect/your server could connect too…
I’m not sure about centos 7 sorry, as I do not use centos 7 in production
You can set the ciphers directly from my post shown in mods, for .sh changes (sorry, it’s late and I cannot remember the term), and if you change any ciphers independently, could stop Apache/quail from restarting, due to differences
I’ll pick this up tommorow at some point if alright, when thinking clearer after a couple of beers
Hope that’s alright but your definitely on fire… kudos to you
Many thanks
John