On 11/14/2018 01:46 PM, Joseph Tam wrote:
On Wed, 14 Nov 2018, Aki Tuomi wrote:
I'm providing IMAP+Starttls on port 143 for users with legacy MUA. So I've to enable TLS1.0 up to TLS1.3 For IMAPS / port 993 I like to enable TLS1.2 and TLS1.3 only.
Is this possible with dovecot-2.2.36 / how to setup this?
Not possible I'm afraid.
("Not possible" = challenge!)
Couldn't you run two different instances (with 2 separate run-time directories), each listening on a different port with their own SSL configuration? Or would it clash somewhere?
If only a single running instance of dovecot is required, I guess you can run dovecot on the localhost interface, and use 2 stunnel proxies.
Joseph Tam jtam.home@gmail.com
Honestly that violates the concept of KISS.
Given that TLS 1.2 is now a decade old, do you really need to still allow clients not capable of TLS 1.0/1.1 ???
I still do but only allow cipher suites with Forward Secrecy.
I don't run huge mail server, but from quick look at my logs I don't even see any clients connecting that aren't TLS 1.2 anymore.
Might be easier to just give a six month notice that clients running TLS more than a decade old will no longer be supported.