Is it possible to force imapd-ssl and pop3d-ssl to TLSv1.2?

From the config file in /etc/courier


TLS_PROTOCOL sets the protocol version. The possible versions are:

SSL2 - SSLv2

SSL3 - SSLv3


TLS_PROTOCOL=TLSv1.2+ (This was TLSv1+, can TLSv1.2 work here?)



extension, as opposed to POP3 over SSL on port 995.

TLS_STARTTLS_PROTOCOL=TLS1.2 (This was TLS1, can TLS1.2 work here?)

I’m on a roll this week, shortly after hitting a wall and posting to the forums, I figure it out.

There are two ways to achieve this.

  1. Edit the /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl lines to the above. I’ve tested using “openssl s_client -connect -tls1” and was not able to connect after making this change.

  2. Edit the ciphers to block this: “…:!TLSv1:!TLSv1.1”

Normally you’d be able to edit this right form NodeWorx SSL (/nodeworx/ssl), but that doesn’t seem to be working right now and I’ve posted about that here:

But making the cipher change directly on the file did work.

I imagine out of the 2 above, it makes more sense to go with option 1 since you aren’t even enabling that as an option to start with, but option 2 is nice (once the bug is fixed) because it can be done through NodeWorx and not manual editing of config file.

Hi Justin

On a roll, your on fire…

I’m sorry, it’s late here but to answer your question, yes, TLS 1 through to 1.2 should work. Certainly on centos 6.8 it does

By restricting TLS, you are effectively reducing the number of email servers which could connect/your server could connect too…

I’m not sure about centos 7 sorry, as I do not use centos 7 in production

You can set the ciphers directly from my post shown in mods, for .sh changes (sorry, it’s late and I cannot remember the term), and if you change any ciphers independently, could stop Apache/quail from restarting, due to differences

I’ll pick this up tommorow at some point if alright, when thinking clearer after a couple of beers

Hope that’s alright but your definitely on fire… kudos to you

Many thanks