Yes! (see sanitised extract from a test to prove this, below). We're on a different (later) OS than you and we don't use all of the standard features available within Obsidian (some we customise). You can see what we are runing via the forum sig. What specific area are you asking the question about? Then we can give a more relevant / detailed answer which might help?Plesk Obsidian Version 18.0.21 Update #5 postfix 3.4.5-v.ubuntu.16.04+p18.0.22.0+t191121.1820 OS: Ubuntu 16.04
is it possible to enable TLS 1.3 for postfix now and if yes how ?
SUCCESSFUL //email/test From:
Your email was sent securely using TLS.
TLS: Successful
From: ***@***test
Via: ***.***.***.***
Date: 2020-01-02 02:20:47 EST
Subject: ****test-code-supplied****
SSLVersion: TLSv1_3
SSLCipher: TLS_AES_256_GCM_SHA384
SNI: n/a
SPF_mfrom.Record: v=spf1 ip4:***.***.***.*** ip6:****:****:****:****:*:*:*:* a mx -all
SPF_mfrom: pass: local="***@***test ***.***.***.*** is authorized to use '***.test' in 'mfrom' identity (mechanism 'ip4:***.***.***.***' matched)"
SPF_helo.Record: v=spf1 ip4:***.***.***.*** ip6:****:****:****:****:*:*:*:* a mx -all
SPF_helo: pass: local="***@***test: ***.***.***.*** is authorized to use '***.test' in 'helo' identity (mechanism 'ip4:***.***.***.***' matched)"
DKIM: pass: signature="@***@***test" result="pass"
DKIM_policy.sender: "o=~"(default), result="accept"
DKIM_policy.author: "o=~"(default), result="accept"
DKIM_policy.ADSP: ""(default), result="accept"
DMARC_result: pass
DMARC_disposition: none
DMARC_dkim: pass
DMARC_dkim_align: strict
DMARC_spf: pass
DMARC_spf_align: strict
DMARC_published.v: DMARC1
DMARC_published.p: quarantine
DMARC_published.sp: quarantine
DMARC_published.adkim: r
DMARC_published.aspf: r
DMARC_published.rua: different-***@***test
DMARC_published.ruf: different-***@***test
DMARC_published.rf: afrf
DMARC_published.ri: 86400
DMARC_published.pct: 100
# grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
938 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
54 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
28 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
4 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2 TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
# openssl ciphers -v | grep 1.3
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
Sorry, should have realised you were only specifcally referring to16.04 above...still, if you're still using the Ubuntu official release OpenSSL (was it 1.0.2g in 16.04?) and this hasn't been upgraded in any way, then that does sound like the most probable cause Having said that, not sure that even if you resolved this (say by adding OpenSSL 1.1.1 manually / re-compiling yourself etc) can't honestly recall seeing anywhere (but may have easily missed it) that Obsidian (and thus Postfix in your case) does then officially fully support TLSv1.3 on Ubuntu 16.04 anyway... (other than on customer / public websites front end etc via the Plesk provided nginx by default)"....Ubuntu 16.x or isnt build against openssl 1.1.1.
Yes! Despite it not being made very clear on this page, if you're running up to date Ubuntu 18.04 LTS with Plesk Obsidian, then TLSv1.3 will run on practically everything (assuming you've made all the correct setups in advance and that any 3rd party packages that you use, also support it, that is) including... wait for it... Plesk's own sw-cp-server which is nice....good to know that a switch to a more recent operating system the TLS 1.3 support is there out of the box
ssl_protocols TLSv1.2 TLSv1.3;
smtp_use_tls = yes
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
#Extra changes
tls_preempt_cipherlist = yes
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
see here Postfix TLS ReadmeNote that server certificates are not optional in TLS 1.3. To run without certificates you'd have to disable the TLS 1.3 protocol by including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also "smtpd_tls_mandatory_protocols". It is simpler instead to just configure a certificate chain. Certificate-less operation is not recommended.