Zentyal 7.1 how to get TLS1.1 back?

[Zhmak]

Old school Windows XP mail clients like Outlook Express can't connect to server due TLS1.2 as minimal required security level.

Tried to lower minimum TLS level in dovecot in
/etc/dovecot/conf.d/10-ssl.conf by

Code: [Select]

ssl_min_protocol = TLSv1.1
also set in /etc/ssl/

Code: [Select]

[ default_conf ]
ssl_conf = ssl_sect

[ ssl_sect ]
system_default = system_default_sect

[ system_default_sect ]
MinProtocol = TLSv1
# Be less secure when negotiating ciphers, verifying certificates, etc.
CipherString = DEFAULT@SECLEVEL=1

After restarting dovecot still got ssl error

Code: [Select]

openssl s_client -connect my.server.com:995 -tls1_1
CONNECTED(00000003)
4057F8C89C7F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

When I try to lower TLS at postfix config having same behavior on 465 port.

Is Zentyal has specific TLS settings?

[Siroco]

Hi,

To make persistent changes to system configuration, Zentyal uses stubs, otherwise, when restarting a service the changes made will be lost.

- https://doc.zentyal.org/en/appendix-c.html#stubs

In the case of Dovecot, Zentyal only includes the file /etc/dovecot/extra.conf as you can see at the end of the file /etc/dovecot/dovecot.conf, so you can create that configuration file (ensure that root is used for the owner and group, and permissions are 0644). Then you can add the parameters you want to the configuration there.

You could also add new includes following dovecot doc or modify the configuration directly in the dovecot.conf.mas.

- https://doc.dovecot.org/configuration_manual/config_file/

Best regards.