Question Postfix with TLS 1.3 under Ubuntu 16.04

[Brujo]

Plesk Obsidian Version 18.0.21 Update #5
postfix 3.4.5-v.ubuntu.16.04+p18.0.22.0+t191121.1820
OS: Ubuntu 16.04

is it possible to enable TLS 1.3 for postfix now and if yes how ?

 

[learning_curve]

Plesk Obsidian Version 18.0.21 Update #5 postfix 3.4.5-v.ubuntu.16.04+p18.0.22.0+t191121.1820 OS: Ubuntu 16.04
is it possible to enable TLS 1.3 for postfix now and if yes how ?

Yes! (see sanitised extract from a test to prove this, below). We're on a different (later) OS than you and we don't use all of the standard features available within Obsidian (some we customise). You can see what we are runing via the forum sig. What specific area are you asking the question about? Then we can give a more relevant / detailed answer which might help?

SUCCESSFUL //email/test From:

Your email was sent securely using TLS.

TLS: Successful
From: ***@***test
Via: ***.***.***.***
Date: 2020-01-02 02:20:47 EST
Subject: ****test-code-supplied****
SSLVersion: TLSv1_3
SSLCipher: TLS_AES_256_GCM_SHA384
SNI: n/a
SPF_mfrom.Record: v=spf1 ip4:***.***.***.*** ip6:****:****:****:****:*:*:*:* a mx -all
SPF_mfrom: pass: local="***@***test ***.***.***.*** is authorized to use '***.test' in 'mfrom' identity (mechanism 'ip4:***.***.***.***' matched)"
SPF_helo.Record: v=spf1 ip4:***.***.***.*** ip6:****:****:****:****:*:*:*:* a mx -all
SPF_helo: pass: local="***@***test: ***.***.***.*** is authorized to use '***.test' in 'helo' identity (mechanism 'ip4:***.***.***.***' matched)"
DKIM: pass: signature="@***@***test" result="pass"
DKIM_policy.sender: "o=~"(default), result="accept"
DKIM_policy.author: "o=~"(default), result="accept"
DKIM_policy.ADSP: ""(default), result="accept"
DMARC_result: pass
DMARC_disposition: none
DMARC_dkim: pass
DMARC_dkim_align: strict
DMARC_spf: pass
DMARC_spf_align: strict
DMARC_published.v: DMARC1
DMARC_published.p: quarantine
DMARC_published.sp: quarantine
DMARC_published.adkim: r
DMARC_published.aspf: r
DMARC_published.rua: different-***@***test
DMARC_published.ruf: different-***@***test
DMARC_published.rf: afrf
DMARC_published.ri: 86400
DMARC_published.pct: 100

 

[Brujo]

Thanks for the answer, well I tried the usual settings in postfix for TLS 1.3 under my constellation, but obviously without success. TLS 1.3 is simply not used and my guess is that it's because of the Plesk postfix that doesn't seem to support TLS 1.3 under Ubuntu 16.x or isnt build against openssl 1.1.1. The highest TLS Version which I tested succesfully with "openssl s_client -starttls smtp -crlf -connect mydomain.com:25" is TLS 1.2

also in the maillog

# grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
    938 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
     54 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
     28 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
      4 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
      2 TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

openssl shows the availability of TLS.1.3 ciphers

# openssl ciphers -v | grep 1.3
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD

So I wonder if anyone has already successfully configured it on Ubuntu 16.x.

 

[learning_curve]

"....Ubuntu 16.x or isnt build against openssl 1.1.1.

Sorry, should have realised you were only specifcally referring to16.04 above...still, if you're still using the Ubuntu official release OpenSSL (was it 1.0.2g in 16.04?) and this hasn't been upgraded in any way, then that does sound like the most probable cause Having said that, not sure that even if you resolved this (say by adding OpenSSL 1.1.1 manually / re-compiling yourself etc) can't honestly recall seeing anywhere (but may have easily missed it) that Obsidian (and thus Postfix in your case) does then officially fully support TLSv1.3 on Ubuntu 16.04 anyway... (other than on customer / public websites front end etc via the Plesk provided nginx by default)

 

[Brujo]

Yes I hoped that with Plesk Obsidian more and more support for TLS 1.3 will be added also under Ubuntu 16.x and not "only" for customers’ websites, as well as for mail services and packages like Dovecot & Postfix. But good to know that a switch to a more recent operating system the TLS 1.3 support is there out of the box

 

[learning_curve]

...good to know that a switch to a more recent operating system the TLS 1.3 support is there out of the box

Yes! Despite it not being made very clear on this page, if you're running up to date Ubuntu 18.04 LTS with Plesk Obsidian, then TLSv1.3 will run on practically everything (assuming you've made all the correct setups in advance and that any 3rd party packages that you use, also support it, that is) including... wait for it... Plesk's own sw-cp-server which is nice.

 

[Noise]

Hi there
i have sucessfully upgraded a Ubuntu 16.04.6 LTS to OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1g 21 Apr 2020) plesk websites are running fine with tls 1.3 but mailing i don't know its only tls 1.2 on work.
Maybe someone has an idea where the settings are.
To activate tls 1.3 on websites, i had to change manually in /etc/sw-cp-server/conf.d/ssl.conf

ssl_protocols TLSv1.2 TLSv1.3;

Edit:
i try a direct change at postfix itself /etc/postfix/main.cf and change like:

smtp_use_tls = yes
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
#Extra changes
tls_preempt_cipherlist = yes
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL

but it makes no difference only tls.1.2
i think, perhaps its about the server certs

Note that server certificates are not optional in TLS 1.3. To run without certificates you'd have to disable the TLS 1.3 protocol by including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols". It is simpler instead to just configure a certificate chain. Certificate-less operation is not recommended.

see here Postfix TLS Readme

but here is finish for me i don't know how to update this certs in plesk