Facebook
Twitter-
We value your experience with Plesk during 2024
Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
Please take this short survey:
https://pt-research.typeform.com/to/AmZvSXkx -
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
-
We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.
Question Postfix with TLS 1.3 under Ubuntu 16.04
learning_curve
Golden Pleskian
Yes! (see sanitised extract from a test to prove this, below). We're on a different (later) OS than you and we don't use all of the standard features available within Obsidian (some we customise). You can see what we are runing via the forum sig. What specific area are you asking the question about? Then we can give a more relevant / detailed answer which might help?
Thanks for the answer, well I tried the usual settings in postfix for TLS 1.3 under my constellation, but obviously without success. TLS 1.3 is simply not used and my guess is that it's because of the Plesk postfix that doesn't seem to support TLS 1.3 under Ubuntu 16.x or isnt build against openssl 1.1.1. The highest TLS Version which I tested succesfully with "openssl s_client -starttls smtp -crlf -connect mydomain.com:25" is TLS 1.2
also in the maillog
openssl shows the availability of TLS.1.3 ciphers
So I wonder if anyone has already successfully configured it on Ubuntu 16.x.
also in the maillog
Code:
# grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
938 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
54 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
28 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
4 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2 TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)openssl shows the availability of TLS.1.3 ciphers
Code:
# openssl ciphers -v | grep 1.3
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEADSo I wonder if anyone has already successfully configured it on Ubuntu 16.x.
Last edited:
learning_curve
Golden Pleskian
Sorry, should have realised you were only specifcally referring to16.04 above...still, if you're still using the Ubuntu official release OpenSSL (was it 1.0.2g in 16.04?) and this hasn't been upgraded in any way, then that does sound like the most probable cause
Having said that, not sure that even if you resolved this (say by adding OpenSSL 1.1.1 manually / re-compiling yourself etc) can't honestly recall seeing anywhere (but may have easily missed it) that Obsidian (and thus Postfix in your case) does then officially fully support TLSv1.3 on Ubuntu 16.04 anyway... (other than on customer / public websites front end etc via the Plesk provided nginx by default)
Yes I hoped that with Plesk Obsidian more and more support for TLS 1.3 will be added also under Ubuntu 16.x and not "only" for customers’ websites, as well as for mail services and packages like Dovecot & Postfix. But good to know that a switch to a more recent operating system the TLS 1.3 support is there out of the box
Last edited:
learning_curve
Golden Pleskian
Yes! Despite it not being made very clear on this page, if you're running up to date Ubuntu 18.04 LTS with Plesk Obsidian, then TLSv1.3 will run on practically everything (assuming you've made all the correct setups in advance and that any 3rd party packages that you use, also support it, that is) including... wait for it... Plesk's own sw-cp-server
which is nice.Hi there
i have sucessfully upgraded a Ubuntu 16.04.6 LTS to OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1g 21 Apr 2020) plesk websites are running fine with tls 1.3 but mailing i don't know its only tls 1.2 on work.
Maybe someone has an idea where the settings are.
To activate tls 1.3 on websites, i had to change manually in /etc/sw-cp-server/conf.d/ssl.conf
Edit:
i try a direct change at postfix itself /etc/postfix/main.cf and change like:
but it makes no difference only tls.1.2
i think, perhaps its about the server certs
but here is finish for me i don't know how to update this certs in plesk
i have sucessfully upgraded a Ubuntu 16.04.6 LTS to OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1g 21 Apr 2020) plesk websites are running fine with tls 1.3 but mailing i don't know its only tls 1.2 on work.
Maybe someone has an idea where the settings are.
To activate tls 1.3 on websites, i had to change manually in /etc/sw-cp-server/conf.d/ssl.conf
Code:
ssl_protocols TLSv1.2 TLSv1.3;Edit:
i try a direct change at postfix itself /etc/postfix/main.cf and change like:
Code:
smtp_use_tls = yes
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
#Extra changes
tls_preempt_cipherlist = yes
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULLbut it makes no difference only tls.1.2
i think, perhaps its about the server certs
see here Postfix TLS Readme
but here is finish for me i don't know how to update this certs in plesk
Last edited:
