When examining mail server logs, you might notice connections using older TLS protocols despite modern security requirements. Here's how to enforce TLSv1.2 specifically for email submission (port 587):
Your log shows:
Anonymous TLS connection established: TLSv1 with cipher ECDHE-RSA-AES256-SHAThe key line in master.cf that needs modification is:
-o smtp_tls_mandatory_protocols=TLSv1Modify your /etc/postfix/master.cf submission service section:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,rejectFor Ubuntu 16.04 with OpenSSL 1.0.2h, create or modify /etc/postfix/dhparam.pem:
openssl dhparam -out /etc/postfix/dhparam.pem 2048Then add to main.cf:
smtpd_tls_dh1024_param_file = /etc/postfix/dhparam.pem
smtpd_tls_eecdh_grade = strongAdd these lines to main.cf for optimal security:
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256After making changes, test with:
postfix reload
openssl s_client -connect localhost:587 -starttls smtp -tls1_2You should see output indicating TLSv1.2 is being used. The webshop configuration should now establish TLSv1.2 connections to your Postfix server.
If connections fail:
1. Check /var/log/mail.log for TLS negotiation errors
2. Verify OpenSSL supports TLSv1.2: openssl ciphers -v | grep TLSv1.2
3. Test from client side: telnet yourserver.com 587 followed by EHLO test
Your log shows that incoming connections are still using TLSv1:
postfix/submission/smtpd[19111]: Anonymous TLS connection established [...] TLSv1 with cipher DHE-RSA-CAMELLIA256-SHAThis happens because of the explicit setting in your master.cf:
-o smtp_tls_mandatory_protocols=TLSv1To enforce TLS 1.2, you need to modify two key files:
1. Update /etc/postfix/master.cf - Change the submission service section:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_protocols=!TLSv1,!TLSv1.1
-o smtpd_tls_mandatory_protocols=TLSv1.2
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject2. Update /etc/postfix/main.cf - Add these TLS parameters:
# TLS protocols to exclude
smtpd_tls_mandatory_protocols = !TLSv1, !TLSv1.1, TLSv1.2
smtpd_tls_protocols = !TLSv1, !TLSv1.1, TLSv1.2
smtp_tls_mandatory_protocols = !TLSv1, !TLSv1.1, TLSv1.2
smtp_tls_protocols = !TLSv1, !TLSv1.1, TLSv1.2
# Modern cipher suites
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHASince you're using OpenSSL 1.0.2h, verify your default protocols with:
openssl ciphers -v 'HIGH:!aNULL:!eNULL:@STRENGTH' | awk '{print $2}' | sort -uThis should show supported TLS 1.2 ciphers like:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-GCM-SHA384After making changes, test with:
service postfix restart
openssl s_client -connect localhost:587 -starttls smtp -tls1_2You should see output indicating TLS 1.2 is being used:
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384If clients cannot connect, check:
- Client software must support TLS 1.2 (modern PHP mail() functions do)
- No firewalls blocking port 587
- Postfix logs for specific errors (/var/log/mail.log)
For legacy client support, consider creating a separate submission port (like 465) with less strict requirements while keeping 587 for modern TLS 1.2-only connections.