Disable all other TLS protocls

TLS1.2-axigen · December 4, 2023, 11:10am

So using the webadmin panel, I’ve gone under all my SMTP receiving connections, and unchecked all the boxes except TLSV1.2 from ssl config. I reloaded both the server and the smtp connections from panel. However on testing if I send myself and email from another server, under view source I can see it says:

Received: from mail.olderserver.com (mail.oldersever.com [xxx.xx.xx.xx])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))

indreias · December 4, 2023, 1:36pm

Hello agon,

Could you please post the entire Received header you are referring and not only a part from it?

Maybe you have selected a wrong received header and not the one written by your Axigen server as what you have shared looks a little bit different from what we are used with.

HTH,
Ioan

TLS1.2-axigen · December 5, 2023, 8:10am

Sure thing, here’s the whole header I see on the email

header.txt (2.0 KB)

I only mentioned the one part in my previous message since did not see anything else regarding TLS

indreias · December 5, 2023, 9:03am

Hello agon,

So the received header as written by your Axigen server is:

Received: from mail.ultra.com.mk (212.13.64.54) by axigen (Axigen)
 with (ECDHE-RSA-AES128-GCM-SHA256 encrypted) ESMTPS id 12EC58;
 Mon, 4 Dec 2023 12:02:57 +0100

In order to validate that the Axigen server is configured as intended (only with TLS 1.2) you could check with a command like:

$ for v in 1 1_1 1_2 1_3
do
  echo quit | openssl s_client -connect <your-mail-server>:25 -starttls smtp -crlf -tls$v >/dev/null 2>/dev/null && echo "TLS $v >> SUPPORTED" || echo "TLS $v >> UNSUPPORTED"
done

Checking for your server (as extracted from TO: header) we got:

TLS 1 >> UNSUPPORTED
TLS 1_1 >> UNSUPPORTED
TLS 1_2 >> SUPPORTED
TLS 1_3 >> UNSUPPORTED

so it looks ok.

HTH,
Ioan

TLS1.2-axigen · December 5, 2023, 9:56am

I tried the openssl command with the -tls flag myself and got the same that everything other than tls1_2 was unsupported. However seeing tlsv1 in the header of the test email threw me off. That’s there for some unrelated to axigen reason?

indreias · December 5, 2023, 10:22am

Hello agon,

The received headers are added by each server as it passed them and should be read in reverse order.

The one where you noticed TLSv1

Received: from mail.ultra.com.mk (mail.ultra.com.mk [212.13.64.54])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)	(Authenticated sender: aasani@ultra.local)
	by mail.ultra.com.mk (Utra Mail Daemon (Postfix) NO UCE)
 with ESMTPSA id 6AB8F2B4AFD	for <esarutest@esarumail.ultra.com.mk>;
 Mon,  4 Dec 2023 12:04:28 +0100 (CET)

was added by mail.ultra.com.mk server (which is a Postfix server and not Axigen) and is saying that the message was received via an authenticated SMTP session using TLSv1 and ECDHE-RSA-AES256-SHA cipher.

Checking that specific server we could see:

TLS 1 >> SUPPORTED
TLS 1_1 >> SUPPORTED
TLS 1_2 >> SUPPORTED
TLS 1_3 >> UNSUPORTED

HTH,
Ioan