>> I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers.
There is no need to disable TLSv1.3 and attempts to do so will be flagged as “downgrade attacks”.
Let us ignore TLSv1.2 as a downgrade option. And focus on TLSv1.3 for
its entirety of this thread.
If the ciphersuite (not cipher for that's a TLSv1.2 term), but a
ciphersuite for TLSv1.3.... needs to have its set of ciphers:
* Reordered, or
* disabled
We cannot do it at the moment given this snapshot of Dovecot.
We are working for adding extra controls for TLSv1.3 (e.g. controlling cipher suitea) and ability to set ssl_max_version.